cerbero-lib
| Crates.io | cerbero-lib |
| lib.rs | cerbero-lib |
| version | 0.1.3 |
| source | src |
| created_at | 2024-06-14 18:53:19.519002 |
| updated_at | 2024-07-09 20:29:24.24846 |
| description | Kerberos protocol attacker library |
| homepage | |
| repository | https://github.com/NukingDragons/cerbero-lib |
| max_upload_size | |
| id | 1272281 |
| size | 192,709 |
Sabrina Andersen (NukingDragons)
documentation
README
____ _ _ _ _
/ ___|___ _ __| |__ ___ _ __ ___ | (_) |__
| | / _ \ '__| '_ \ / _ \ '__/ _ \ _____| | | '_ \
| |__| __/ | | |_) | __/ | | (_) |_____| | | |_) |
\____\___|_| |_.__/ \___|_| \___/ |_|_|_.__/
Library to perform several tasks related with the Kerberos protocol in an Active Directory pentest.
This repo was cloned from https://gitlab.com/Zer1i0/cerbero and has been converted into a library format. I intend to add more features/clean up the code further -- view the TODO section below.
Table of Contents
Installation
To use this library in your project you can add it via cargo add:
cargo add cerbero-lib
Functions
Ask
The ask function allows retrieval of Kerberos tickets (TGT/TGS) from the KDC
(Domain Controller in Active Directory environment). Moreover, it also
perform requests to obtain tickets by using the S4U2Self and S4U2Proxy
Kerberos extensions.
(View the ask example here)
AsRepRoast
The asreproast function can be used to discover users that do not require
pre-authentication and retrieve a ticket to crack with hashcat or john.
(View the asreproast example here)
Brute
The brute function performs TGT requests in order to discover user credentials
based on the KDC response. This bruteforce technique allows you to discover:
- Valid username/password pairs
- Valid usernames
- Expired passwords
- Blocked or disabled users
This attack should be performed carefully since can block user accounts in case of perform many incorrect authentication attemps for the same user.
(View the brute example here)
Convert
The convert function will convert ticket files between krb (Windows)
and ccache (Linux) formats.
(View the convert example here)
Craft
The craft function allows for the crafting of golden and silver tickets.
(View the craft example here)
Hash
The hash module contains functions that calculate the Kerberos keys (password hashes) from the user password.
(View the hash example here)
Kerberoast
The kerberoast function can be used to retrieve a (potentially crackable) password hash
for an account with an SPN set.
To format encrypted part of tickets in order to be cracked by hashcat or john, you need to provide a file with the user services. Each line of the file must have one of the following formats:
userdomain/useruser:spndomain/user:spn
When a service SPN is not specified, then a NT-ENTERPRISE principal is used. This can also be useful to bruteforce users with services.
(View the kerberoast example here)
TODO
[!note]
- Clean up the code, clippy thinks there are too many args to some functions + large Result types
- Remove some of the allows inside of lib.rs
- Improve documentation significantly, including README and the examples directory
- Add SID lookup module and improve the functions that require them
- Implement proper ticket dumping via LSA for the WindowsVault
Credits
This work is based on great work of other people:
- Impacket of Alberto Solino @agsolino
- Rubeus of Will @harmj0y and Elad Shamir @elad_shamir
- Mimikatz of @gentilkiwi
- Cerbero of Eloy @zer1i0