Using Kerberos Authentication without using a PC that is part of the Domain

Hi All,

Recently I was doing some pentesting and needed to connect to a website using Integrated Windows Authentication (IWA) with only support for Kerberos allowed. At first I thought I was pretty much in a dead end because almost every post insinuates for Kerberos authentication to work your client machine needs to be added to the domain.

Well In a Word You Don’t!!!

It is possible to have your own Linux or Windows machine connect to a website using kerberos tickets. In order to set this up I needed to configure a few things.

apt-get install krb5-config
apt-get install libpam-krb5
apt-get install krb5-kdc
dpkg-reconfigure krb5-config
kinit ben@HACME.NET (Must be uppercase as its a Kerberos REALM)
klist (Shows all tickets granted)
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ben@HACKME.COM

Valid starting     Expires            Service principal
14/03/14 09:24:36  14/03/14 19:24:42  krbtgt/HACKME.COM@HACKME.COM
	renew until 15/03/14 09:24:36
14/03/14 09:28:33  14/03/14 19:24:42  HTTP/win-lbak0qmafe8.hackme.com@
	renew until 15/03/14 09:24:36
14/03/14 09:28:33  14/03/14 19:24:42  HTTP/win-lbak0qmafe8.hackme.com@HACKME.COM
	renew until 15/03/14 09:24:36
Once you have got a TGT from the KDC you can configure FireFox or Google Chrome or Even IE to get the HTTP ticket from the KDC.

Allowing IE to Retrieve HTTP Tickets

IE requires the site to be added to the Intranet and IWA enabled. For IE in Windows other tools must be used to get the Kerberos tickets, i.e. MIT tools

Kerberos: The Network Authentication Protocol – MIT

Allowing Firefox to Retrieve HTTP Tickets

Navigate to about:config
Search negotiate and add the following settings to have .hackme.com and restart firefox
network.negotiate-auth.trusted-uris;
network.negotiate-auth.delegation-uris;

Allowing Chrome to Retrieve HTTP Tickets

Start google chrome like this, make sure you have all the dns pointing to the correct domain dns servers
google-chrome --auth-server-whitelist="*.hackme.com" --user-data-dir
http://win-lbak0qmafe8.hackme.com/

Leave a comment

Your email address will not be published. Required fields are marked *