Impacket Deep Dives Vol. 2: Attacking Kerberos

Cerberus: the 3-headed guard of the underworld in Greek myth

Overview

Lab Setup

Attack I: ASREP Roasting

Theory

Exploitation

ASREP Roasting the users on our wordlist
Cracking the ASREP Roasted Users’ passwords

Attack II: Kerberoasting

Attack III: Golden Ticket

Forging a Golden Ticket

Finding the NTHash for the krbtgt account
Finding the domain SID
Forging a golden ticket for the domain administrator “brock”

Using a Golden Ticket

Converting a .kirbi file into a .ccache file
Setting the KRB5CCNAME environment variable for Impacket
Using a golden ticket

Attack IV: Silver Ticket

Footnote: Attack V: Abusing Unconstrained Delegation

Theory

Exploitation

Conclusion

Student, hacker, OSCP. My other computer is your computer.