4 releases
0.1.3 | Jul 9, 2024 |
---|---|
0.1.2 | Jun 27, 2024 |
0.0.22 |
|
#453 in Authentication
160KB
4K
SLoC
____ _ _ _ _
/ ___|___ _ __| |__ ___ _ __ ___ | (_) |__
| | / _ \ '__| '_ \ / _ \ '__/ _ \ _____| | | '_ \
| |__| __/ | | |_) | __/ | | (_) |_____| | | |_) |
\____\___|_| |_.__/ \___|_| \___/ |_|_|_.__/
Library to perform several tasks related with the Kerberos protocol in an Active Directory pentest.
This repo was cloned from https://gitlab.com/Zer1i0/cerbero and has been converted into a library format. I intend to add more features/clean up the code further -- view the TODO section below.
Table of Contents
Installation
To use this library in your project you can add it via cargo add
:
cargo add cerbero-lib
Functions
Ask
The ask
function allows retrieval of Kerberos tickets (TGT/TGS) from the KDC
(Domain Controller in Active Directory environment). Moreover, it also
perform requests to obtain tickets by using the S4U2Self and S4U2Proxy
Kerberos extensions.
(View the ask
example here)
AsRepRoast
The asreproast
function can be used to discover users that do not require
pre-authentication and retrieve a ticket to crack with hashcat or john.
(View the asreproast
example here)
Brute
The brute
function performs TGT requests in order to discover user credentials
based on the KDC response. This bruteforce technique allows you to discover:
- Valid username/password pairs
- Valid usernames
- Expired passwords
- Blocked or disabled users
This attack should be performed carefully since can block user accounts in case of perform many incorrect authentication attemps for the same user.
(View the brute
example here)
Convert
The convert
function will convert ticket files between krb (Windows)
and ccache (Linux) formats.
(View the convert
example here)
Craft
The craft
function allows for the crafting of golden and silver tickets.
(View the craft
example here)
Hash
The hash
module contains functions that calculate the Kerberos keys (password hashes) from the user password.
(View the hash
example here)
Kerberoast
The kerberoast
function can be used to retrieve a (potentially crackable) password hash
for an account with an SPN set.
To format encrypted part of tickets in order to be cracked by hashcat or john, you need to provide a file with the user services. Each line of the file must have one of the following formats:
user
domain/user
user:spn
domain/user:spn
When a service SPN is not specified, then a NT-ENTERPRISE principal is used. This can also be useful to bruteforce users with services.
(View the kerberoast
example here)
TODO
[!note]
- Clean up the code, clippy thinks there are too many args to some functions + large Result types
- Remove some of the allows inside of lib.rs
- Improve documentation significantly, including README and the examples directory
- Add SID lookup module and improve the functions that require them
- Implement proper ticket dumping via LSA for the WindowsVault
Credits
This work is based on great work of other people:
- Impacket of Alberto Solino @agsolino
- Rubeus of Will @harmj0y and Elad Shamir @elad_shamir
- Mimikatz of @gentilkiwi
- Cerbero of Eloy @zer1i0
Dependencies
~13–52MB
~853K SLoC