Kerberos

https://www.roguelynn.com/words/explain-like-im-5-kerberos/
https://vbscrub.com/2020/05/13/kerberos-protocol-explained/
https://www.tarlogic.com/en/blog/how-kerberos-works/
https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
https://www.tarlogic.com/en/blog/kerberos-iii-how-does-delegation-work/
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
https://habr.com/ru/company/tomhunter/blog/507140/
https://habr.com/ru/company/tomhunter/blog/509290/

{% embed url="https://youtu.be/qZPvgoUzCdI" %}

Synchronize Time

Using ntpdate:

$ sudo apt install ntpdate -y
$ sudo ntpdate <DC_IP>

Using faketime:

$ sudo apt install faketime -y
$ faketime '1970-01-01 00:00:00' /bin/date

Kerberos on Linux

Check KRB5CCNAME environment variable contents:

$ env | grep KRB5

Request TGT supplying password:

$ kinit
$ klist

List available SPNs:

$ ldapsearch -Y GSSAPI -H ldap://dc1.megacorp.local -D "Administrator@MEGACORP.LOCAL" -W -b "dc=megacorp,dc=local" "servicePrincipalName=*" servicePrincipalName

Request TGS for MSSQL service:

$ kvno MSSQLSvc/SRV01.megacorp.local:1433
$ klist

Re-using keytab files to load and renew a TGT:

$ kinit administrator@MEGACORP.LOCAL -k -t /tmp/administrator.keytab
$ klist
$ kinit -R

Re-using ccache files:

$ sudo chown snovvcrash:snovvcrash /tmp/krb5cc_31337
$ kdestroy
$ export KRB5CCACHE=/tmp/krb5cc_31337
$ klist

FreeIPA

A blog series by @n0pe_sled on attacking FreeIPA:

Building a FreeIPA Lab
Attacking FreeIPA — Part I Authentication
Attacking FreeIPA — Part II Enumeration
Attacking FreeIPA — Part III: Finding A Path
Attacking FreeIPA — Part IV: CVE-2020–10747

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Kerberos

Synchronize Time

Kerberos on Linux

FreeIPA

Files

README.md

Latest commit

History

README.md

File metadata and controls

Kerberos

Synchronize Time

Kerberos on Linux

FreeIPA