先配置 krb5.conf
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# nxc smb LUS2DC.Lustrous2.vl --generate-krb5-file /etc/krb5.conf
SMB 10.129.242.166 445 LUS2DC [*] x64 (name:LUS2DC) (domain:Lustrous2.vl) (signing:True) (SMBv1:False) (NTLM:False)
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# cat /etc/krb5.conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = LUSTROUS2.VL
[realms]
LUSTROUS2.VL = {
kdc = lus2dc.Lustrous2.vl
admin_server = lus2dc.Lustrous2.vl
default_domain = Lustrous2.vl
}
[domain_realm]
.Lustrous2.vl = LUSTROUS2.VL
Lustrous2.vl = LUSTROUS2.VL
然后可以使用 kinit 登录
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# kinit thomas.myers
Password for thomas.myers@LUSTROUS2.VL:
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# klist
Ticket cache: FILE:Thomas.Myers.ccache
Default principal: thomas.myers@LUSTROUS2.VL
Valid starting Expires Service principal
10/01/2025 07:48:32 10/01/2025 17:48:32 krbtgt/LUSTROUS2.VL@LUSTROUS2.VL
renew until 10/02/2025 07:48:23
验证一个网站是不是Kerberos认证,最简单的方式就是使用curl加上特定的参数 --negotiate
--negotiate 参数的作用是启用 SPNEGO (Security Provider Negotiation Protocol) 认证;他会自动协商最佳的身份认证方法,通常在 Kerberos 和 NTLM 之间选择。
当网站启用
kerberos认证时,它会利用我们的TGT向网站HTTP/lus2dc.lustrous2.vl请求一个服务票据,并将其转换为令牌后通过Authentication标头发送。
这里你需要先把票据导入到环境变量才行
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# export KRB5CCNAME=Thomas.Myers.ccache
然后请求网站
┌──(root㉿kali)-[~/Desktop/htb/LustrousTwo]
└─# curl http://lus2dc.lustrous2.vl --negotiate -I -u :
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv9tnHvYuO3z1EsFmcl3ZHwPolBurPoW2hIAjUo5z2Kii18H+7xze2l3lnoL8kCGCZbLRZXv2bRv3uaOCp1ZHCvoRjH7uOjOVR2e/VzVzVHVf62MxfJ/Ukitdg1RLiO8yqHLWytQJlr71ipE4ym5eZ
Persistent-Auth: true
X-Powered-By: ASP.NET
Date: Wed, 01 Oct 2025 11:57:47 GMT
-I只返回响应头。因为我们只需要根据状态码判断即可-u :将用户名和密码设置为空,表示使用系统认证,即 Kerberos 票据。
之后如果你需要使用浏览器方法,你还需要 firefox 配置 negotiate-auth