We’ve released a new tool called Berserko, which is a Burp Suite extension to perform Kerberos authentication.
We use Burp Suite for web application security assessments and it gives us excellent results.
However, anyone that has experience in pen testing in enterprise environments will be able to tell you that it’s increasingly common to find applications that only support Kerberos and while Burp can handle all the other types of Windows integrated authentication, it doesn’t support Kerberos.
There are ways around this – notably by chaining Burp through Fiddler (according to these instructions). This works, but it is fiddly (no pun intended), slow and Fiddler only runs on Windows.
It would, however, be simpler if Kerberos authentication could be done from within Burp itself. By making use of Burp’s extensibility API and Java’s built-in support for Kerberos, Burp can support Kerberos.
In fact, your testing machine doesn’t have to be joined to the domain and it doesn’t have to be running on Windows.
Berserko can be downloaded from our GitHub page, where you will also find the usage instructions.
Please take some time to give it a try. It has been tested against several Windows domains (and a Linux-based Hadoop box) but Kerberos is a complex business and there are bound to be bug fixes and tweaks required, so we’re keen to get your feedback.
Written by Richard Turnbull
First published on 31/01/17