Kerbeus-BOF: Beacon Object Files for Kerberos abuse

Kerberos abuse

Kerbeus-BOF

Beacon Object Files for Kerberos abuse. This is an implementation of some important features of the Rubeus project, written in C. The project features integration with the C2 frameworks Cobalt Strike and Havoc.

Download

git clone https://github.com/RalfHacker/Kerbeus-BOF.git

Use

Ticket requests and renewals

asktgt

The asktgt action will build raw AS-REQ (TGT request) traffic for the specified user and encryption key (/rc4 or /aes256). A /password flag can also be used instead of a hash – in this case /enctype:X will default to RC4. If no /domain is specified, the computer’s current domain is extracted, and if no /dc is specified the same is done for the system’s current domain controller. If authentication is successful, the resulting AS-REP is parsed and the KRB-CRED (a .kirbi, which includes the user’s TGT) is output as a base64 blob. The /ptt flag will “pass-the-ticket” and apply the resulting Kerberos credential to the current logon session. Also, another opsec note: only one TGT can be applied at a time to the current logon session, so the previous TGT is wiped when the new ticket is applied when using the /ptt option.

To form AS-REQ’s more inline with genuine requests, the /opsec flag can be used, this will send an initial AS-REQ without pre-authentication first, if this succeeds, the resulting AS-REP is decrypted and TGT return, otherwise an AS-REQ with pre-authentication is then sent.

Requesting a TGT without a PAC can be done using the /nopac switch. The /nopreauth flag can be used to send an AS-REQ without pre-authentication.

krb_asktgt /user:USER /password:PASSWORD [/domain:DOMAIN] [/dc:DC] [/enctype:{rc4|aes256}] [/ptt] [/nopac] [/opsec]
krb_asktgt /user:USER /aes256:HASH [/domain:DOMAIN] [/dc:DC] [/ptt] [/nopac] [/opsec]
krb_asktgt /user:USER /rc4:HASH [/domain:DOMAIN] [/dc:DC] [/ptt] [/nopac]
krb_asktgt /user:USER /nopreauth [/domain:DOMAIN] [/dc:DC] [/ptt]

asktgs

The asktgs action will build/parse a raw TGS-REQ/TGS-REP service ticket request using the specified TGT /ticket:X supplied. This value must be a base64 encoding of a .kirbi file. If a /dc is not specified, the computer’s current domain controller is extracted and used as the destination for the request traffic. The /ptt flag will “pass-the-ticket” and apply the resulting service ticket to the current logon session. One or more /service:X SPNs must be specified, comma separated.

The supported encryption types in the constructed TGS-REQ will be RC4_HMAC and AES256_CTS_HMAC_SHA1. In this case, the highest mutually supported encryption will be used by the KDC to build the returned service ticket. If you want to force RC4 or AES256 keys, use /enctype:[rc4 or aes256].

To form TGS-REQ’s more inline with genuine requests, the /opsec flag can be used, this will also cause an additional TGS-REQ to be sent automatically when a service ticket is requested for an account configured for unconstrained delegation.

The /u2u flag was implemented to request User-to-User tickets. Together with the /tgs:X argument (used to supply the target accounts TGT), the /service:X argument can be the username of the account the supplied TGT is for (with the /tgs:X argument). The /targetuser:X argument will request a PAC of any other account by inserting a PA-FOR-USER PA data section with the target user’s username.

The /keyList flag was implemented for Kerberos Key List Requests. These requests must utilise a forged partial TGT from a read-only domain controller in the /ticket:BASE64 parameter. Furthermore, the /spn:x field must be set to the KRBTGT SPN within the domain, eg. KRBTBT/domain.local.

krb_asktgs /ticket:BASE64 /service:SPN1,SPN2,... [/domain:DOMAIN] [/dc:DC] [/tgs:BASE64] [/targetdomain:DOMAIN] [/targetuser:USER] [/enctype:{rc4|aes256}] [/ptt] [/keylist] [/u2u] [/opsec]

renew

The renew action will build/parse a raw TGS-REQ/TGS-REP TGT renewal exchange using the specified /ticket:X supplied. This value must be a base64 encoding of a .kirbi file. If a /dc is not specified, the computer’s current domain controller is extracted and used as the destination for the renewal traffic. The /ptt flag will “pass-the-ticket” and apply the resulting Kerberos credential to the current logon session.

krb_renew /ticket:BASE64 [/dc:DC] [/ptt]

More