There’s still many legacy Windows and Linux environments that support RC4 and DES for Kerberos. Especially on corporate networks where there are older production machines or software, it’s unusually common to find these methods still in use these days. The best way to check if it’s allowed on a windows machine is to check the SupportedEncryptionTypes setting.
Most of the time, even though DES is supported it typically isn’t the first option that’s used. To force clients to downgrade to DES so we can capture ciphertext, we put together a simple ettercap filter in our
des_kpt repo that can be used:
$ cd krb5_ettercap $ vi krb5-downgrade-asreq.sh ... export KDC="192.168.1.11" export TARGET="192.168.1.27" export ETH="enp0s3" ... $ ./krb5-downgrade-asreq.sh
This will MITM the connection between the KDC and TARGET and replace the supported encryption types in all of the TARGET -> KDC AS-REQ packets with
des-cbc-crc and should downgrade all encrypted communication (TGS, Authenticators, etc) to
des-cbc-crc and log it to /tmp/ettercap.pcap which you can then use to crack using
Now that we have a capture, we can then run
des_kpt to generate submission tokens for any known-plaintext data in the packet capture.
$ cd .. $ ./des_kpt.py kerb -i /tmp/ettercap.pcap
Using the Result
There currently aren’t any tools for making use of the cracked DES keys to login to machines, but we’re currently looking into the best ways to use the keys to authenticate with machines and further exploitation.