Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Start VPN
  • Connect with the attacker machine inside via VPN
  • Run Burpsuite with proxychains
  • Configure Kerberos Extension

Was this helpful?

  1. Tools
  2. Infrastructure and Network
  3. Active Directory

Burpsuite with Kerberos Auth

Sometimes, it's necessary to assess applications that you need to auth with TGT tickets from kerberos via VPN.

Using a Kali linux, the basic steps to reproduce this scenarios are:

  • Start the VPN to the target network

  • Connect to the attacker machine you can use (.e.g., in this case I need to use a double tunnel)

  • Run the Burpsuite with proxychains

  • Configure the Kerberos extension to get the TGT

Start VPN

sudo openfortivpn -u xxxx@xxx.com -p 'password' --insecure-ssl --trusted-cert 4a11xxxxxxxbc -v

Connect with the attacker machine inside via VPN

I need to connect first to a ubuntu machine, and through this machine connect via another tunnel a kali machine inside the target infrastructure. I can do this tunnel exposing a SOCKS proxy on my kali as follows:

ssh -D 1080 -J "xxxx@xxx.local"@10.91.1.10 xx.xxx@10.100.16.12

Run Burpsuite with proxychains

proxychains java -jar /home/kali/BurpSuitePro/burpsuite_pro.jar

After execute the Burpsuite, I need to perform a change: change HTTP/2 to HTTP/1. In some cases this change is needed.

Configure Kerberos Extension

  1. Frist, we need to create the krb5.config file. After that, add the following parameter to the file: udp_preference_limit = 1

└─$ cat /home/kali/Documents/krb5.conf
[libdefaults]
        forwardable = true
        udp_preference_limit = 1
  1. After that, set the Domain Name and the IP of the KDC Host (mainly the Domain Controller). Then, "Test domain settings".

  2. Next, set de domain credentials and click on "Test credentials". Here the TGT ticket is obtained.

  3. Add the hosts in scope: *.yourdomain.local

  4. Activate "Proactive Kerberos authentication"

  5. Test it on the Burp integrated browser on adding the burp proxy on your firefox :)

PreviousActive DirectoryNextCloud & Azure

Last updated 4 months ago

Was this helpful?