Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / SMB / Access

Kerberos Authentication

Kerberos over SMB uses a CIFS service ticket or a TGT to authenticate to SMB without sending NTLM. This is the clean path after ticket extraction, delegation abuse, PKINIT, Golden Ticket, Silver Ticket, or normal kinit.

Get TGT

getTGT.py ootw.local/student:'student' -dc-ip 10.10.10.200
export KRB5CCNAME=student.ccache
klist

smbclient with Kerberos

smbclient -k //dc01.ootw.local/SYSVOL
smbclient -k //dc01.ootw.local/C$

NetExec with cache

nxc smb dc01.ootw.local -k --use-kcache
nxc smb dc01.ootw.local -k --use-kcache --shares

Impacket execution

psexec.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200
wmiexec.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200
atexec.py -k -no-pass ootw.local/Administrator@dc01.ootw.local -dc-ip 10.10.10.200 "whoami"

Use a CIFS service ticket

getST.py -spn cifs/dc01.ootw.local -dc-ip 10.10.10.200 ootw.local/student:'student'
export KRB5CCNAME=student.ccache
smbclient -k //dc01.ootw.local/SYSVOL

Notes

  • The hostname matters.
  • If the ticket is for cifs/dc01.ootw.local, connect to dc01.ootw.local, not only the IP address.