Crate cerbero_lib

cerbero-lib

  ____          _                          _ _ _
 / ___|___ _ __| |__   ___ _ __ ___       | (_) |__
| |   / _ \ '__| '_ \ / _ \ '__/ _ \ _____| | | '_ \
| |__|  __/ |  | |_) |  __/ | | (_) |_____| | | |_) |
 \____\___|_|  |_.__/ \___|_|  \___/      |_|_|_.__/

Library to perform several tasks related with the Kerberos protocol in an Active Directory pentest.

This repo was cloned from https://gitlab.com/Zer1i0/cerbero and has been converted into a library format. I intend to add more features/clean up the code further – view the TODO section in the associated github.

Table of Contents

1. Installation
2. Functions
   • ask
   • asreproast
   • brute
   • convert
   • craft
   • hash
   • kerberoast
3. TODO
4. Credits

---

Installation

To use this library in your project you can add it via cargo add:

cargo add cerbero-lib

Functions

Ask

The ask function allows retrieval of Kerberos tickets (TGT/TGS) from the KDC (Domain Controller in Active Directory environment). Moreover, it also perform requests to obtain tickets by using the S4U2Self and S4U2Proxy Kerberos extensions.

(View the ask example here)

AsRepRoast

The asreproast function can be used to discover users that do not require pre-authentication and retrieve a ticket to crack with hashcat or john.

(View the asreproast example here)

Brute

The brute function performs TGT requests in order to discover user credentials based on the KDC response. This bruteforce technique allows you to discover:

• Valid username/password pairs
• Valid usernames
• Expired passwords
• Blocked or disabled users

This attack should be performed carefully since can block user accounts in case of perform many incorrect authentication attemps for the same user.

(View the brute example here)

Convert

The convert function will convert ticket files between krb (Windows) and ccache (Linux) formats.

(View the convert example here)

Craft

The craft function allows for the crafting of golden and silver tickets.

(View the craft example here)

Hash

The hash module contains functions that calculate the Kerberos keys (password hashes) from the user password.

(View the hash example here)

Kerberoast

The kerberoast function can be used to retrieve a (potentially crackable) password hash for an account with an SPN set.

To format encrypted part of tickets in order to be cracked by hashcat or john, you need to provide a file with the user services. Each line of the file must have one of the following formats:

• user
• domain/user
• user:spn
• domain/user:spn

When a service SPN is not specified, then a NT-ENTERPRISE principal is used. This can also be useful to bruteforce users with services.

(View the kerberoast example here)

Credits

This work is based on great work of other people:

• Impacket of Alberto Solino @agsolino
• Rubeus of Will @harmj0y and Elad Shamir @elad_shamir
• Mimikatz of @gentilkiwi
• Cerbero of Eloy @zer1i0

Modules

hash

Utilities for creating NT hashes and Kerberos keys

stringifier

Utilities for converting various things in this crate into strings

Structs

BufVault

Vault that exists entirely in memory, for when you can’t or don’t want to touch disk

EmptyVault

Reference for implementing the Vault trait

FileVault

Vault containing kerberos tickets using ccache/krb files as the backend

KdcComm

Struct to package the KDC’s and the protocol to communicate with them

Kdcs

Struct to package KDC’s

KrbUser

Struct to package the user identity with name and domain

Ticket

(Ticket) Represents a Kerberos ticket.

TicketCred

Struct to store a ticket and the related user info, like the session key.

TicketCreds

Struct to store a vector of TicketCred with additional functionality

WindowsVault

Vault that interacts directly with LSA, tickets in this vault are accessible for the entire logon session

Enums

BruteResult

Holds the possible results when running the brute function

CrackFormat

Available output formats for crackable hashes

CredFormat

The file formats for tickets (KRB/CCache)

EncryptionType

Valid encryption algorithms that can be sent to the server

Error

Key

Encapsules the possible keys used by this Kerberos implementation. Each key can be used by a different cryptographic algorithm.

TransportProtocol

Transport protocols available to send Kerberos messages

Traits

KrbChannel

Trait implemented by classes which deliver Kerberos messages

Vault

Trait that implements the storage of tickets

Functions

ask

Asks the KDC to craft Kerberos tickets (TGT/TGS) from the KDC (Domain Controller in Active Directory environment)

asreproast

AS-REP Roasting can be used to discover users that do not require pre-authentication

brute

Perform TGT requests in order to discover user credentials based on the KDC response

convert

Convert tickets between krb (Windows) and ccache (Linux) formats

craft

Crafts gold and silver tickets

kerberoast

To format encrypted part of tickets in order to be cracked by hashcat or john

Type Aliases

Result