Sometimes in my job, I'm asked to do an assessment of web applications. And plenty of web applications use Kerberos Authentication. I'm not exactly an expert in Burp, so I had issues with this. Since I had issues, I thought I'd share what I did in case others have problems. Keep in mind, this could be wrong, but it worked for me.
Symptom: You're getting a login prompt for certain web applications that are expecting credentials. So you look at the headers and you see WWW-Authenticate: Negotiate <some long string>.
This means that the application is expecting Kerberos and may fall back to NTLM if Kerberos fails.
So how to get Kerberos Authentication working in Burp?
Source
https://github.com/nccgroup/Berserko/issues/5
As of the time of this writing, there isn't native Kerberos support in Burp, that I'm aware of. I'm running 2020-12-1. If support was added for that, it wasn't working for me. So, as far as I know, you must use an extension called Kerberos Authentication.
In my case, Burp is located in /opt/Burp.
In order for this to work, I had to launch Burp in a specific way. This was supposed to be fixed, but apparently it wasn't. The problem, according to rtt-ncc in that source up there, is that Burp "is now using OpenJDK instead of the Oracle JDK, and the version of OpenJDK being shipped doesn't include the jdk.security.auth modules."
So, according to va-14 in that source up there, the solution is to open up a Terminal and run the following to launch Burp instead of launching it from Applications (I'm on a Kali box).
java -jar /opt/BurpSuitePro/burpsuitepro.jar
After you launch Burp, you'll get a popup asking if you want to load from a saved setting or start a Temp Project. Start a Temp Project. Use Default Settings.
To install Kerberos Authentication, click on the Extender Tab. This will bring up another set of tabs underneath the original tabs. Click on BApp Store.
Scroll down until you see the Kerberos Authentication Extender. Click on it to select it.
Click the Install Button on the right hand frame. Once it is done installing, you'll see a Kerberos Authentication tab on the top row of tabs. By default it is turned off. In order to use Kerberos, make sure that the "Do Kerberos" checkbox is checked at the top. You must do this every time you open a new project if you'd like to use Kerberos.
There are settings that must be configured for it to work.
Click on the Kerberos Authentication tab and put your details in there. Do not check the "Save password in Burp config?" Checkbox. We don't want random creds lying around where people can find them. Also of note, in the Scope area, having the "All hosts in scope for Kerberos authentication" box checked is not recommended. Otherwise you may actually test hosts that you don't intend to. The "Do not perform Kerberos authentication to servers which support NTLM" is also not recommended because NTLM challenges and responses can be sniffed and cracked. We are using TLS, though, so it should be ok, but don't quote me on that. Just be aware that that might be a security hazard. In order to use Kerberos, make sure that the Do Kerberos checkbox is checked at the top. You must do this every time you open a new project if you'd like to use Kerberos.
The details on the Kerberos Extender tab, as long as you're familiar with Burp and your environment, are fairly easy to work out. If you have questions, ask your sys admins.
Make sure to test your credentials and your connectivity to the domain.
The cool thing about this is that you don't have to be a member of the domain to use it. You just need valid credentials.
I did run into a couple of errors, but they seemed to be resolved by launching Burp the way that I said above. I found this solution by using Google. Chances are, if you have an error, simply Google it. You're likely to find a solution.
When you use Intruder or Repeater, don't add the WWW-Authenticate header. Burp will take care of that for you so long as the Kerberos Authentication Extender is enabled.
Hopefully this helps others not spend a lot of time researching this.
