Kerbeus-BOF - Advanced Kerberos Abuse Tool for Offensive Security Operations

Kerbeus-BOF - Advanced Kerberos Abuse Tool for Offensive Security Operations

Kerbeus-BOF is a Beacon Object File (BOF) implementation designed for Kerberos abuse, written in C. It integrates with popular Command and Control (C2) frameworks like Cobalt Strike, Havoc, and AdaptixC2.

Inspired by the Rubeus project, Kerbeus-BOF provides tools to manipulate Kerberos tickets for offensive security purposes. This guide explains its key features and usage.

Core Functionalities

1. Ticket Requests and Renewals

asktgt

The asktgt action generates raw AS-REQ (Authentication Service Request) traffic to obtain a Ticket-Granting Ticket (TGT). Key options include:

  • /rc4 or /aes256: Specify encryption type.

  • /password: Use a password instead of a hash.

  • /domain and /dc: Extract domain and domain controller automatically if unspecified.

  • /ptt: Pass-the-ticket to the current logon session (only one TGT can be active at a time).

  • /opsec: Mimic legitimate AS-REQ patterns by initially sending requests without pre-authentication.

  • /nopac or /nopreauth: Request tickets without a PAC or pre-authentication.

Examples:

krb_asktgt /user:USER /password:PASSWORD [/domain:DOMAIN] [/dc:DC] [/enctype:{rc4|aes256}] [/ptt] [/nopac] [/opsec]

krb_asktgt /user:USER /aes256:HASH [/domain:DOMAIN] [/dc:DC] [/ptt]

asktgs

The asktgs action requests Service Tickets using an existing TGT. Options include:

  • /service: Specify one or more SPNs (comma-separated).

  • /ptt: Pass-the-ticket for the current session.

  • /keylist: Request Kerberos Key List using a forged partial TGT.

  • /u2u: Request User-to-User tickets.

Examples:

krb_asktgs /ticket:BASE64 /service:SPN1,SPN2,... [/domain:DOMAIN] [/dc:DC] [/ptt]

renew

Renew an existing TGT using the renew action. The renewed ticket can also be passed to the current session with /ptt.

Example:

krb_renew /ticket:BASE64 [/dc:DC] [/ptt]

2. Delegation Abuse

Constrained Delegation

Accounts configured for constrained delegation can impersonate any user to specific services (SPNs). The krb_s4u action enables abuse of this feature:

  • /impersonateuser: Impersonate another user.

  • /altservice: Substitute service names in the resulting ticket.

Examples:

krb_s4u /ticket:BASE64 /service:SPN {/impersonateuser:USER} [/altservice:SERVICE]

Unconstrained Delegation

Unconstrained delegation allows an account to impersonate users to any service. The tool can exploit this configuration by requesting tickets on behalf of other users.

3. Ticket Management

ptt

Submit a TGT or service ticket for the current session using the LsaCallAuthenticationPackage() API.

Example:

krb_ptt /ticket:BASE64

purge

Remove all Kerberos tickets from the current session.

Example:

krb_purge

describe

Parse and display details of a Kerberos ticket.

Example:

krb_describe /ticket:BASE64

klist, dump, triage

These actions list or extract Kerberos tickets:

  • klist: Show ticket details.

  • dump: Extract TGTs and service tickets.

  • triage: Summarize all tickets on the system.

Examples:

krb_klist

krb_dump [/luid:LOGINID]

krb_triage

4. Credential Abuse

Kerberoasting

Request service tickets for SPNs and extract their hashes for offline cracking.

Examples:

krb_kerberoasting /spn:SPN [/nopreauth:USER]

krb_kerberoasting /spn:CIFS/COMP.domain.local /ticket:TKT_BASE64

AS-REP Roasting

Target accounts without preauthentication enabled to retrieve AS-REP responses, which can then be cracked offline.

Example:

krb_asreproasting /user:USER [/domain:DOMAIN]

5. Miscellaneous Actions

hash

Generate NTLM or AES hashes from passwords.

Example:

krb_hash /password:PASSWORD [/user:USER] [/domain:DOMAIN]

changepw

Change a user's password using their TGT or service ticket.

Example:

krb_changepw /ticket:TKT_BASE64 /new:PASSWORD

Advanced Techniques

1. Overpass-the-Hash Attack

Use NTLM hashes to request Kerberos tickets via RC4-HMAC encryption. This technique bypasses the need for plaintext credentials.

2. S4U2Self and S4U2Proxy Abuse

Leverage constrained delegation to request service tickets as other users.

Operational Security (OpSec) Considerations

To avoid detection:

  1. Use the /opsec flag to mimic legitimate traffic patterns.

  2. Limit ticket requests to necessary operations.

  3. Avoid reusing compromised credentials excessively.

Credits

Kerbeus-BOF is inspired by:

  • Rubeus by GhostPack

  • CS-Situational-Awareness-BOF by TrustedSec

  • nanorobeus by wavvs

You can learn more and Download Kerbeus-BOF in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog