# Burpsuite with Kerberos Auth

Sometimes, it's necessary to assess applications that you need to auth with TGT tickets from kerberos via VPN.

Using a Kali linux, the basic steps to reproduce this scenarios are:

* Start the VPN to the target network
* Connect to the attacker machine you can use (.e.g., in this case I need to use a double tunnel)
* Run the Burpsuite with proxychains
* Configure the Kerberos extension to get the TGT

## Start VPN

sudo openfortivpn -u <xxxx@xxx.com> -p 'password' --insecure-ssl --trusted-cert 4a11xxxxxxxbc -v

## Connect with the attacker machine inside via VPN

I need to connect first to a ubuntu machine, and through this machine connect via another tunnel a kali machine inside the target infrastructure. I can do this tunnel exposing a SOCKS proxy on my kali as follows:

ssh -D 1080 -J "<xxxx@xxx.local>"@10.91.1.10 xx.xxx\@10.100.16.12

## Run Burpsuite with proxychains

proxychains java -jar /home/kali/BurpSuitePro/burpsuite\_pro.jar

After execute the Burpsuite, I need to perform a change: change HTTP/2 to HTTP/1. In some cases this change is needed.

<figure><img src="/files/atZfRvkO31zqn25bv3sv" alt=""><figcaption></figcaption></figure>

## Configure Kerberos Extension

1. Frist, we need to create the krb5.config file. After that, add the following parameter to the file: udp\_preference\_limit = 1

```
└─$ cat /home/kali/Documents/krb5.conf
[libdefaults]
        forwardable = true
        udp_preference_limit = 1

```

<figure><img src="/files/8B74SsWu1pyDDS9ZE7cP" alt=""><figcaption></figcaption></figure>

2. After that, set the Domain Name and the IP of the KDC Host (mainly the Domain Controller). Then, "Test domain settings".
3. Next, set de domain credentials and click on "Test credentials". Here the TGT ticket is obtained.
4. Add the hosts in scope: \*.yourdomain.local
5. Activate "Proactive Kerberos authentication"
6. Test it on the Burp integrated browser on adding the burp proxy on your firefox :)

<figure><img src="/files/Vfv2GWb3Fe9bWSsd5QZJ" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/tools/infrastructure-and-network/active-directory/burpsuite-with-kerberos-auth.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.