I've been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.
(click on the pics if they don't display correctly).
Often you see these requests in wireshark on an internal penetration test:
So I came up with a tool that automates kerberos' connection for these:
Which shows up like this in Wireshark:
Here's how the attack works :
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:
and wait for the Kerberos AS-REQ on UDP 88.
Responder will then take care of the hash parsing and formating:
And will make it ready for hashcat (-m 7500):
This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)
Game over MSKerberosV5.
(click on the pics if they don't display correctly).
Often you see these requests in wireshark on an internal penetration test:
So I came up with a tool that automates kerberos' connection for these:
Which shows up like this in Wireshark:
Here's how the attack works :
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:
and wait for the Kerberos AS-REQ on UDP 88.
Responder will then take care of the hash parsing and formating:
And will make it ready for hashcat (-m 7500):
This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)
What exactly is a Kerberos V5 Hash?
ReplyDelete