A little bit of explanation on Kerberos and Impacket
In this post, I would like to share my knowledge and skills about the Kerberos which we will take advantage of Impacket script
For those who are not familiar with Kerberos, it’s a protocol in which the server will authenticate the service request among the trusted hosts with an untrusted network like the internet itself. Microsoft has been using the Kerberos protocol since Windows 2000 for its default authentication method which is implemented inside the Windows Operation System.
As we know, we will use the Kerberos tool on the Windows Operating System which I will demonstrate below. However, i will demonstrate by using the Impacket script which is can be found over here
There is another way to download the impacket on our machine by using the command
python3 -m pip install impacket
Screenshot Resource for the Demonstration
The screenshot above has been taken from the Scrambled Machine which is using Windows Operation System and can be found over here. For those who don’t know about the Scrambled Machine, It’s a retired machine that can be played on the HackTheBox Platform.
Enumerate the Scrambled machine using impacket tool
Before we execute the SMBClient service on the machine, let’s create a ticket by using impacket-getTGT
We managed to access it via SMBclient service
I managed to sight that there’s a pdf file called Network Security Changes
As a result, let’s grab the file into our attacker’s machine
Nothing looks interesting on the pdf file.
Let’s find the password and crack it using John The Ripper where it will provide the password as Pegasus60
Let’s execute the secretdump on the machine by using the command above.
Therefore, let’s create another ticket but we need to find a nthash first.
Once the ticket has been executed, the ticket will be saved to Administrator.ccache
We also can execute the mssqlclient so that we can enumerate even deeper.