4 releases

0.1.3 Jul 9, 2024
0.1.2 Jun 27, 2024
0.0.22 Jun 26, 2024

#453 in Authentication

AGPL-3.0

160KB
4K SLoC

  ____          _                          _ _ _
 / ___|___ _ __| |__   ___ _ __ ___       | (_) |__
| |   / _ \ '__| '_ \ / _ \ '__/ _ \ _____| | | '_ \
| |__|  __/ |  | |_) |  __/ | | (_) |_____| | | |_) |
 \____\___|_|  |_.__/ \___|_|  \___/      |_|_|_.__/

Crates.io docs.rs Language Rust

Library to perform several tasks related with the Kerberos protocol in an Active Directory pentest.

This repo was cloned from https://gitlab.com/Zer1i0/cerbero and has been converted into a library format. I intend to add more features/clean up the code further -- view the TODO section below.

Table of Contents

  1. Installation
  2. Functions
  3. TODO
  4. Credits

Installation

To use this library in your project you can add it via cargo add:

cargo add cerbero-lib

Functions

Ask

The ask function allows retrieval of Kerberos tickets (TGT/TGS) from the KDC (Domain Controller in Active Directory environment). Moreover, it also perform requests to obtain tickets by using the S4U2Self and S4U2Proxy Kerberos extensions.

(View the ask example here)

AsRepRoast

The asreproast function can be used to discover users that do not require pre-authentication and retrieve a ticket to crack with hashcat or john.

(View the asreproast example here)

Brute

The brute function performs TGT requests in order to discover user credentials based on the KDC response. This bruteforce technique allows you to discover:

  • Valid username/password pairs
  • Valid usernames
  • Expired passwords
  • Blocked or disabled users

This attack should be performed carefully since can block user accounts in case of perform many incorrect authentication attemps for the same user.

(View the brute example here)

Convert

The convert function will convert ticket files between krb (Windows) and ccache (Linux) formats.

(View the convert example here)

Craft

The craft function allows for the crafting of golden and silver tickets.

(View the craft example here)

Hash

The hash module contains functions that calculate the Kerberos keys (password hashes) from the user password.

(View the hash example here)

Kerberoast

The kerberoast function can be used to retrieve a (potentially crackable) password hash for an account with an SPN set.

To format encrypted part of tickets in order to be cracked by hashcat or john, you need to provide a file with the user services. Each line of the file must have one of the following formats:

  • user
  • domain/user
  • user:spn
  • domain/user:spn

When a service SPN is not specified, then a NT-ENTERPRISE principal is used. This can also be useful to bruteforce users with services.

(View the kerberoast example here)

TODO

[!note]

  • Clean up the code, clippy thinks there are too many args to some functions + large Result types
  • Remove some of the allows inside of lib.rs
  • Improve documentation significantly, including README and the examples directory
  • Add SID lookup module and improve the functions that require them
  • Implement proper ticket dumping via LSA for the WindowsVault

Credits

This work is based on great work of other people:

Dependencies

~13–52MB
~853K SLoC