88tcp/udp - Pentesting Kerberos

Support HackTricks

Basic Information

Kerberos 的运作原则是通过不直接管理用户对资源的访问来进行身份验证。这是一个重要的区别,因为它强调了该协议在安全框架中的作用。

Active Directory 等环境中,Kerberos 在通过验证用户的秘密密码来建立用户身份方面发挥着重要作用。这个过程确保在用户与网络资源交互之前确认每个用户的身份。然而,Kerberos 并不扩展其功能来评估或强制执行用户对特定资源或服务的权限。相反,它提供了一种安全的用户身份验证方式,这是安全过程中的关键第一步。

Kerberos 进行身份验证后,关于资源访问的决策过程被委托给网络中的各个服务。这些服务负责根据 Kerberos 提供的用户权限信息来评估经过身份验证的用户的权利和权限。这种设计允许在验证用户身份和管理其访问权限之间进行关注点分离,从而在分布式网络中实现更灵活和安全的资源管理方法。

默认端口: 88/tcp/udp

PORT   STATE SERVICE
88/tcp open  kerberos-sec

要学习如何滥用 Kerberos,您应该阅读关于 Active Directory的文章。

更多

Shodan

  • port:88 kerberos

MS14-068

MS14-068 漏洞允许攻击者篡改合法用户的 Kerberos 登录令牌,以虚假声称提升权限,例如成为域管理员。此虚假声明被域控制器错误地验证,从而使未经授权的访问 Active Directory 林中的网络资源成为可能。

其他漏洞利用: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek

HackTricks 自动命令

Protocol_Name: Kerberos    #Protocol Abbreviation if there is one.
Port_Number:  88   #Comma separated if there is more than one.
Protocol_Description: AD Domain Authentication         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for Kerberos
Note: |
Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.
In environments like **Active Directory**, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.

https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88

Entry_2:
Name: Pre-Creds
Description: Brute Force to get Usernames
Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}

Entry_3:
Name: With Usernames
Description: Brute Force with Usernames and Passwords
Note: consider git clone https://github.com/ropnop/kerbrute.git ./kerbrute -h

Entry_4:
Name: With Creds
Description: Attempt to get a list of user service principal names
Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs
支持 HackTricks

Last updated