Burpsuite with Kerberos Auth

Sometimes, it's necessary to assess applications that you need to auth with TGT tickets from kerberos via VPN.

Using a Kali linux, the basic steps to reproduce this scenarios are:

Start the VPN to the target network
Connect to the attacker machine you can use (.e.g., in this case I need to use a double tunnel)
Run the Burpsuite with proxychains
Configure the Kerberos extension to get the TGT

Start VPN

sudo openfortivpn -u xxxx@xxx.com -p 'password' --insecure-ssl --trusted-cert 4a11xxxxxxxbc -v

Connect with the attacker machine inside via VPN

I need to connect first to a ubuntu machine, and through this machine connect via another tunnel a kali machine inside the target infrastructure. I can do this tunnel exposing a SOCKS proxy on my kali as follows:

ssh -D 1080 -J "xxxx@xxx.local"@10.91.1.10 xx.xxx@10.100.16.12

Run Burpsuite with proxychains

proxychains java -jar /home/kali/BurpSuitePro/burpsuite_pro.jar

After execute the Burpsuite, I need to perform a change: change HTTP/2 to HTTP/1. In some cases this change is needed.

Configure Kerberos Extension

Frist, we need to create the krb5.config file. After that, add the following parameter to the file: udp_preference_limit = 1

└─$ cat /home/kali/Documents/krb5.conf
[libdefaults]
        forwardable = true
        udp_preference_limit = 1

After that, set the Domain Name and the IP of the KDC Host (mainly the Domain Controller). Then, "Test domain settings".
Next, set de domain credentials and click on "Test credentials". Here the TGT ticket is obtained.
Add the hosts in scope: *.yourdomain.local
Activate "Proactive Kerberos authentication"
Test it on the Burp integrated browser on adding the burp proxy on your firefox :)

PreviousActive Directory NextCloud & Azure

Last updated 1 year ago