88tcp/udp - Pentesting Kerberos

Reading time: 6 minutes

Taarifa za Msingi

Kerberos inafanya kazi kwa kanuni inayothibitisha watumiaji bila kusimamia moja kwa moja ufikiaji wao wa rasilimali. Hii ni tofauti muhimu kwa sababu inaonyesha nafasi ya itifaki katika mifumo ya usalama.

Katika mazingira kama Active Directory, Kerberos ina jukumu muhimu katika kuthibitisha utambulisho wa watumiaji kwa kudhibitisha nywila zao za siri. Mchakato huu huhakikisha kuwa utambulisho wa kila mtumiaji unathibitishwa kabla ya kuingiliana na rasilimali za mtandao. Hata hivyo, Kerberos haigusi utendaji wake ili kutathmini au kutekeleza ruhusa ambazo mtumiaji ana kwa rasilimali au huduma maalum. Badala yake, inatoa njia salama ya kuthibitisha watumiaji, ambayo ni hatua muhimu ya kwanza katika mchakato wa usalama.

Baada ya uthibitisho na Kerberos, mchakato wa uamuzi kuhusu ufikiaji wa rasilimali unaachwa kwa huduma za mtu binafsi ndani ya mtandao. Huduma hizi ndizo zinazonajibika kutathmini haki na ruhusa za mtumiaji aliyethibitishwa, kwa msingi wa taarifa zilizotolewa na Kerberos kuhusu haki za mtumiaji. Muundo huu unaruhusu utofauti wa majukumu kati ya kuthibitisha utambulisho wa watumiaji na kusimamia haki zao za ufikiaji, na hivyo kuwezesha njia ya kusimamia rasilimali kuwa yenye kubadilika zaidi na salama katika mitandao iliyogatuliwa.

Bandari ya Chaguo-msingi: 88/tcp/udp

PORT   STATE SERVICE
88/tcp open  kerberos-sec

Ili kujifunza jinsi ya kutumia vibaya Kerberos unapaswa kusoma chapisho kuhusu Active Directory.

Mazingira yenye Kerberos pekee: maandalizi ya mteja na utatuzi wa matatizo

Wakati NTLM imezimwa kwenye huduma za domain (SMB/WinRM/n.k.), lazima uthibitike kwa Kerberos. Mambo ya kuzingatia na mtiririko wa kazi unaofanya kazi:

• Ulinganifu wa saa ni wa lazima. Ikiwa saa ya mwenyeji wako imepishana kwa zaidi ya dakika chache utaona KRB_AP_ERR_SKEW na uthibitisho wote wa Kerberos utashindwa. Linganisha dhidi ya DC:

# quick one-shot sync (requires sudo)
sudo ntpdate <dc.fqdn> || sudo chronyd -q 'server <dc.fqdn> iburst'

• Tengeneza krb5.conf halali kwa realm/domain lengwa. netexec (CME fork) inaweza kutoa moja kwa ajili yako wakati wa kujaribu SMB:

# Generate krb5.conf and install it
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf

• Pata TGT na uhakikishe ccache:

kinit <user>
klist

• Tumia Kerberos na zana za SMB (hakuna nywila zinatumwa, inatumia ccache yako):

# netexec / CME
netexec smb <dc.fqdn> -k            # lists shares, runs modules using Kerberos
# impacket examples also support -k / --no-pass to use the ccache
smbclient --kerberos //<dc.fqdn>/IPC$

• GSSAPI SSH kuingia mara moja (OpenSSH kwa Windows OpenSSH server):

# Ensure krb5.conf is correct and you have a TGT (kinit)
# Use the FQDN that matches the host SPN. Wrong names cause: "Server not found in Kerberos database"
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>

Tips:

• Hakikisha /etc/hosts inatambua (resolves) FQDN kamili utakayofikia kwa SSH/SMB, na kwamba iko kabla ya rekodi za domain zisizo na jina la host (bare domain entries) ikiwa unabadilisha DNS. SPN mismatches husababisha GSSAPI kuvunjika.
• Ikiwa NTLM imezimwa kwenye SMB unaweza kuona STATUS_NOT_SUPPORTED wakati wa majaribio ya NTLM; ongeza -k kulazimisha Kerberos.

Zaidi

Shodan

• port:88 kerberos

MS14-068

Hitilafu ya MS14-068 inamruhusu mdhambi kuharibu tokeni ya kuingia ya Kerberos ya mtumiaji halali ili kudai kwa udanganyifu vibali vya juu, kama vile kuwa Domain Admin. Dai hili bandia linathibitishwa kwa makosa na Domain Controller, ikiruhusu upatikanaji usioidhinishwa wa rasilimali za mtandao katika msitu wa Active Directory.

Kerberos Vulnerability in MS14-068 (KB3011780) Explained – Active Directory & Azure AD/Entra ID Security

Other exploits: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek

Marejeo

• NetExec (CME) wiki – Kerberos and krb5.conf generation
• OpenSSH GSSAPIAuthentication
• MIT Kerberos – Using Kerberos on UNIX
• 0xdf – HTB: TheFrizz

Amri za Kiotomatiki za HackTricks

Protocol_Name: Kerberos    #Protocol Abbreviation if there is one.
Port_Number:  88   #Comma separated if there is more than one.
Protocol_Description: AD Domain Authentication         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for Kerberos
Note: |
Kerberos operates on a principle where it authenticates users without directly managing their access to resources. This is an important distinction because it underlines the protocol's role in security frameworks.
In environments like **Active Directory**, Kerberos is instrumental in establishing the identity of users by validating their secret passwords. This process ensures that each user's identity is confirmed before they interact with network resources. However, Kerberos does not extend its functionality to evaluate or enforce the permissions a user has over specific resources or services. Instead, it provides a secure way of authenticating users, which is a critical first step in the security process.

https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-kerberos-88/index.html

Entry_2:
Name: Pre-Creds
Description: Brute Force to get Usernames
Command: nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} {IP}

Entry_3:
Name: With Usernames
Description: Brute Force with Usernames and Passwords
Note: consider git clone https://github.com/ropnop/kerbrute.git ./kerbrute -h

Entry_4:
Name: With Creds
Description: Attempt to get a list of user service principal names
Command: GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs