Breaking MSFT Kerberos With Responder

I’ve been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.
(click on the pics if they don’t display correctly).

Often you see these requests in wireshark on an internal penetration test:

So I came up with a tool that automates kerberos’ connection for these:

Which shows up like this in Wireshark:

Here’s how the attack works :
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:

and wait for the Kerberos AS-REQ on UDP 88.

Responder will then take care of the hash parsing and formating:

And will make it ready for hashcat (-m 7500):

This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)

Game over MSKerberosV5.

Print Share Comment Cite Upload Translate

APA

() » Breaking MSFT Kerberos With Responder. Retrieved from https://www.truth.cx/2014/04/10/breaking-msft-kerberos-with-responder/.

MLA

" » Breaking MSFT Kerberos With Responder." - , https://www.truth.cx/2014/04/10/breaking-msft-kerberos-with-responder/

HARVARD

» Breaking MSFT Kerberos With Responder., viewed ,

VANCOUVER

- » Breaking MSFT Kerberos With Responder. [Internet]. [Accessed ]. Available from: https://www.truth.cx/2014/04/10/breaking-msft-kerberos-with-responder/

CHICAGO

" » Breaking MSFT Kerberos With Responder." - Accessed . https://www.truth.cx/2014/04/10/breaking-msft-kerberos-with-responder/

IEEE

" » Breaking MSFT Kerberos With Responder." [Online]. Available: https://www.truth.cx/2014/04/10/breaking-msft-kerberos-with-responder/. [Accessed: ]

Select a language:

<div dir="ltr" style="text-align: left;" trbidi="on">I've been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.<br />(click on the pics if they don't display correctly).<br /><br />Often you see these requests in wireshark on an internal penetration test:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-5025qkKWD8I/U0YwO8H8yxI/AAAAAAAAAYA/JBLpCXjhwqM/s1600/sam-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-5025qkKWD8I/U0YwO8H8yxI/AAAAAAAAAYA/JBLpCXjhwqM/s1600/sam-2.png" height="36" width="640" /></a></div><br />So I came up with a tool that automates kerberos' connection for these:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-1IKxiYs5k6c/U0Ywm7vOo7I/AAAAAAAAAYI/Vah6jsCwz9A/s1600/Kerberos-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-1IKxiYs5k6c/U0Ywm7vOo7I/AAAAAAAAAYI/Vah6jsCwz9A/s1600/Kerberos-1.png" /></a></div><br />Which shows up like this in Wireshark:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-h-E6UZIr98g/U0Yw7RZhseI/AAAAAAAAAYQ/S-rsFTCOIRI/s1600/wireshark-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-h-E6UZIr98g/U0Yw7RZhseI/AAAAAAAAAYQ/S-rsFTCOIRI/s1600/wireshark-1.png" height="286" width="640" /></a></div><br />Here's how the attack works :<br />1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.<br />2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-yYi0EZ8KFzw/U0YzTPerPsI/AAAAAAAAAYc/hlSErmB_xok/s1600/wireshark2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-yYi0EZ8KFzw/U0YzTPerPsI/AAAAAAAAAYc/hlSErmB_xok/s1600/wireshark2.png" height="468" width="640" /></a></div>  <br />and wait for the Kerberos AS-REQ on UDP 88.<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-YoZ1SnczHc8/U0YzqBF0W0I/AAAAAAAAAYk/VvBWiqpdY-8/s1600/wireshark3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-YoZ1SnczHc8/U0YzqBF0W0I/AAAAAAAAAYk/VvBWiqpdY-8/s1600/wireshark3.png" height="150" width="640" /></a></div><br />Responder will then take care of the hash parsing and formating:<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-U2_n7vv9FKE/U0Y1xwU4jrI/AAAAAAAAAY4/TvXM2K-IdUw/s1600/mskerb1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-U2_n7vv9FKE/U0Y1xwU4jrI/AAAAAAAAAY4/TvXM2K-IdUw/s1600/mskerb1.png" height="48" width="640" /></a></div><br /><br /> And will make it ready for hashcat (-m 7500):<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-hzh2R7kn3T0/U0Y0n7I6d0I/AAAAAAAAAYw/dEI4gxTPIos/s1600/kerb-cracked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-hzh2R7kn3T0/U0Y0n7I6d0I/AAAAAAAAAYw/dEI4gxTPIos/s1600/kerb-cracked.png" height="218" width="640" /></a></div><br />This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)<br /><br /><div class="separator" style="clear: both; text-align: center;"></div>Game over MSKerberosV5.<br /><br /><br /></div>

First name:

Last name:

Related Posts