Hi All,
Recently I was doing some pentesting and needed to connect to a website using Integrated Windows Authentication (IWA) with only support for Kerberos allowed. At first I thought I was pretty much in a dead end because almost every post insinuates for Kerberos authentication to work your client machine needs to be added to the domain.
Well In a Word You Don’t!!!
It is possible to have your own Linux or Windows machine connect to a website using kerberos tickets. In order to set this up I needed to configure a few things.
apt-get install krb5-config apt-get install libpam-krb5 apt-get install krb5-kdc dpkg-reconfigure krb5-config
kinit ben@HACME.NET (Must be uppercase as its a Kerberos REALM) klist (Shows all tickets granted)
klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ben@HACKME.COM Valid starting Expires Service principal 14/03/14 09:24:36 14/03/14 19:24:42 krbtgt/HACKME.COM@HACKME.COM renew until 15/03/14 09:24:36 14/03/14 09:28:33 14/03/14 19:24:42 HTTP/win-lbak0qmafe8.hackme.com@ renew until 15/03/14 09:24:36 14/03/14 09:28:33 14/03/14 19:24:42 HTTP/win-lbak0qmafe8.hackme.com@HACKME.COM renew until 15/03/14 09:24:36
Once you have got a TGT from the KDC you can configure FireFox or Google Chrome or Even IE to get the HTTP ticket from the KDC.
Allowing IE to Retrieve HTTP Tickets
IE requires the site to be added to the Intranet and IWA enabled. For IE in Windows other tools must be used to get the Kerberos tickets, i.e. MIT tools
Kerberos: The Network Authentication Protocol – MIT
Allowing Firefox to Retrieve HTTP Tickets
Navigate to about:config Search negotiate and add the following settings to have .hackme.com and restart firefox
network.negotiate-auth.trusted-uris;
network.negotiate-auth.delegation-uris;
Allowing Chrome to Retrieve HTTP Tickets
Start google chrome like this, make sure you have all the dns pointing to the correct domain dns servers google-chrome --auth-server-whitelist="*.hackme.com" --user-data-dir http://win-lbak0qmafe8.hackme.com/