Shulou(Shulou.com)06/02 Report--

For the basic principle of kerberos and what is the content of SPN scan, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Preface of 0x00

Kerberos is a network authentication protocol proposed by MIT (Massachusetts Institute of Technology). It is designed to provide strong authentication for client / server applications by using key encryption technology.

In the process of understanding Kerberos, I found that some of the relevant articles on many websites are directly translated by machines, and there are also some well-written articles, but the practice is relatively weak, so students who know Kerberos for the first time may not know how to get started. Therefore, this paper is mainly through more detailed experiments combined with the principle to illustrate some attacks related to Kerberos.

This article will be divided into three parts. The first article mainly includes the description of domain environment and Kerberos protocol, as well as the attack mode of Kerberoasting. The second article mainly includes MS14068 vulnerabilities and instructions for the use of Kerberos tickets. The third part mainly explains the attack methods and principles of Kerberos delegation.

0x01 domain environment

Because Kerberos is mainly used in the domain environment authentication protocol, so before talking about some concepts of the domain environment. First of all, the generation of domain is to solve the problem of resource management within the enterprise. for example, a company can establish a domain environment in the network, which is more convenient for internal resource management. There are various resources in a domain, such as domain controls, domain administrators, ordinary users, hosts, and so on.

In the following figure, YUNYING.LAB is the root domain of the other two domains, and NEWS.YUNYING.LAB and DEV.YUNYING.LAB are both subdomains of YUNYING.LAB, which make up a domain tree. The concept of subdomain can be understood as a group in different business branches, they have business overlap and all belong to the root domain of YUNYING.LAB, but operate independently. Similarly, TEST.COM is also a separate domain tree, and the combination of two domain trees YUNYING.LAB and TEST.COM is called a domain forest.

This paper demonstrates the domain whose root domain is YUNYING.LAB. The domain control of YUNYING.LAB is DC.YUNYING.LAB, and the domain control of subdomain NEWS.YUNYING.LAB and DEV.YUNYING.LAB is NEWSDC.NEWS.YUNYING.LAB and DEVDC.DEV.YUNYING.LAB, respectively.

All of the above are FQDN (FullyQualified Domain Name) names, that is, fully qualified domain names, which contain both hostname and domain name.

Ex.: if the host name of DC in DC.YUNYING.LAB is YUNYING.LAB and the domain name is YUNYING.LAB, then his FQDN name is DC.YUNYING.LAB.

The operating system used in this domain is Windows Server 2008 R2+Windows 7.

Introduction to 0x02 Kerberos

In Kerberos authentication, the most important problem is how to prove that "you are you". For example, when a Client accesses a service on a Server server, how does Server judge whether Client has permission to access the service on its own host? at the same time, it ensures that even if the communication content in this process is intercepted or tampered with, it will not affect the security of the communication. This is the problem solved by Kerberos. The attack and defense of Kerberos protocol is also very important in the process of domain penetration.

1.Kerberos protocol framework

There are three main roles in the Kerberos protocol:

1. Access the Client of the service

two。 Server that provides servic

3.KDC (Key Distribution Center) key distribution center.

The KDC service is installed in the domain control of a domain by default, while Client and Server are users or services in the domain, such as HTTP service and SQL service. In Kerberos, whether Client has permission to access services on the Server side is determined by the ticket issued by KDC.

If the ticket in Kerberos is compared to a train ticket, then the Client terminal is the passenger, the Server terminal is the train, and KDC is the station authentication system. Only if the ticket on the Client side is legal (purchased by your ID card and held by you) and has access to the Server service (the ticket corresponds to the correct train number) then you can get on the bus. Of course, unlike train tickets, there are two tickets in Kerberos, while there is only one train ticket from beginning to end.

From the figure above, you can see that KDC is divided into two parts:

The function of Authentication Server:AS is to verify the identity of the Client side (to make sure you are the person on the ID card). If you pass the verification, you will be given a TGT (Ticket Granting Ticket) ticket to Client.

The function of Ticket Granting Server:TGS is to exchange the ticket (TGT) sent by AS to Client in exchange for a ticket to access the Server (ticket ST to get on the bus). ST (ServiceTicket) also has data called TGS Ticket. In order to distinguish it from TGS, we will use ST to explain it here.

The KDC service framework includes a KRBTGT account, which is an account automatically created by the system when the domain is created. You can temporarily understand that it is an unlogged account and its password HASH value will be used when issuing the ticket.

2.Kerberos authentication process

When Client wants to access a service on Server, it needs to prove its identity to AS first, and then initiates an authentication request to Server through the TGT issued by AS. This process is divided into three parts:

Interaction between The Authentication Service Exchange:Client and AS

Interaction between The Ticket-Granting Service (TGS) Exchange:Client and TGS

Interaction between The Client/Server Authentication Exchange:Client and Server.

(1) TheAuthentication Service Exchange

KRB_AS_REQ

Client- > AS: send Authenticator1 (Client password encrypted TimeStamp)

In the first step, Client sends Authenticator1 to the AS of KDC, which contains the time stamp, ClientID, network address, encryption type and so on, which are encrypted by Client password Hash.

KRB_AS_REP

AS- > Client: send Client password encrypted sessionkey-as and ticket TGT (KRBTGT HASH encrypted sessionkey-as and TimeStamp)

The password HASH of all users in the domain is stored in KDC. When AS receives the request from Client, it will decrypt it according to the password stored in KDC, decrypt it successfully and verify the information. After successful verification, sessionkey-as and TGT encrypted by Client password HASH (information such as sessionkey-as and TimeStamp encrypted by KRBTGT HASH) are returned to Client.

(2) TheTicket-Granting Service (TGS) Exchange

KRB_TGS_REQ

Client-> TGS sends Authenticator2 (sessionkey-as encrypted TimeStamp) and ticket TGT (KRBTGT HASH encrypted sessionkey-as and TimeStamp)

After receiving the encrypted Sessionkey-as and TGT, Client decrypts the Sessionkey-as,TGT with its own password and obtains that the Sessionkey-as,TGT is encrypted by KDC password, and Client cannot decrypt it. At this time, Client uses Sessionkey-as to encrypt TimeStamp and TGT to send to the TGS (TicketGranting Server) ticket authorization server in KDC in exchange for tickets that can access Server.

KRB_TGS_REP

TGS- > Client send ciphertext 1 (sessionkey-as encrypted sessionkey-tgs) and ticket ST (Server password HASH encrypted sessionkey-tgs)

After TGS receives the TGT and Sessionkey-as encrypted TimeStamp sent by Client, it first checks whether it has the service requested by Client. If the service exists, decrypt the TGT with the KRBTGT password. In general, TGS checks the timestamp in TGT to see if the TGT is out of date and whether the original address is the same as the address saved in TGT. After successful verification, the Sessionkey-tgs encrypted with sessionkey-as encrypted sessionkey-tgs and Server password HASH is sent to Client.

(3) TheClient/Server Authentication Exchange

KRB_AP_REQ

Client-> Server sends Authenticator3 (sessionkey-tgs encrypted TimeStamp) and ticket ST (Server password HASH encrypted sessionkey-tgs)

Client receives sessionkey-as encrypted sessionkey-tgs and Server password HASH encrypted sessionkey-tgs, decrypts sessionkey-tgs with sessionkey-as, and then sends sessionkey-tgs encrypted TimeStamp and ST to Server.

KRB_AP_REP

Server- > Client

Server decrypts ST with its own password to get sessionkey-tgs, and then decrypts Authenticator3 with sessionkey-tgs to get TimeStamp. The verification is correct and the verification is successful.

This is the process of Kerberos certification. If you want to know more details, please refer to the link below.

Https://tools.ietf.org/html/rfc4120.html

3.PAC

Several processes originally designed by Kerberos show how to prove that Client is Client and not impersonated by others, but does not declare whether Client has access to Server services, because users with different permissions in the domain can access different resources.

So in order to solve this problem, Microsoft added the concept of PAC when implementing Kerberos. The full name of PAC is Privilege Attribute Certificate (privileged attribute Certificate). It can be understood that the train has first-class seats and second-class seats, and PAC is a way to distinguish different permissions.

(1) implementation of PAC

When the authentication process between the user and KDC is completed, and Client needs to access a service provided by Server, in order to determine whether the user has legitimate rights, Server needs to pass information such as User SID of Client to KDC,KDC to judge the user's user group information and user rights through SID, and then return the result to Server,Server and compare this information with the ACL of the resource requested by the user. Finally, it is decided whether to provide the corresponding service to the user.

PAC will be encrypted and sent to Client by AS in TGT in KRB_AS_REP, and then forwarded by Client to TGS to verify the service requested by Client.

The PAC includes two digital signatures, PAC_SERVER_CHECKSUM and PAC_PRIVSVR_CHECKSUM, which are encrypted by the Server password HASH and the KDC password HASH, respectively.

At the same time, after TGS decryption, verify whether the signature is correct, and then reconstruct the new PAC and return it to the client in the ST, and the client sends the ST to the server for verification.

(2) Server and KDC

PAC can be understood as a string of check information, in order to prevent forgery and tampering, in principle is stored in TGT, and TGT is encrypted by KDC hash. At the same time, there will be two digital signatures at the end, which are encrypted by the KDC password and the server password to prevent the digital signature from being tampered with.

At the same time, PAC specifies a fixed User SID and Groups ID, as well as some other time and other information. After receiving the ST, the program of Server will decrypt the PAC and send the digital signature of PAC to KDC,KDC for verification and return the result to Server in the form of RPC return code.

Brief introduction of 0x03 Kerberos and SPN1 SPN

The service principal name (SPN:ServicePrincipal Names) is the unique identifier of the service instance (which can be understood as a service, such as HTTP, MSSQL). Kerberos authentication uses SPN to associate a service instance with a service login account. If you install multiple service instances on computers throughout the forest or domain, each instance must have its own SPN. If the client may authenticate with multiple names, a given service instance can have multiple SPN. SPN always contains the name of the host on which the service instance is running, so the service instance can register SPN for each name or alias of its host.

If it is explained in one sentence, if you want to use the Kerberos protocol to authenticate the service, then SPN must be configured correctly.

2 SPN format and configuration:

There are four elements in the syntax of SPN, two must elements and two extra elements, where sum is a necessary element:

/: /

A string that identifies the service class

: name of the host where the service resides

Service port

: service name

Example:

If I want to register the MSSQL service in a host S2 in the domain with SPN, I can use the command:

Setspn-A MSSQLSvc/s2.yunying.lab:1433 tsvc

After the registration is successful, you can use the following two commands to view the registered SPN.

Setspn-Q * / * setspn-T yunying.lab-Q * / *

SPN must be unique in the forest in which it is registered. If it is not unique, authentication will fail.

When registering for SPN, you can use a NetBIOS name, such as S2. You can also use FQDN (FullyQualified Domain Name fully qualified domain name), such as s2.yunying.lab. There may be situations where the SPN registered by a certain name cannot be accessed successfully. If it is not configured correctly, you can try another name.

In general, host-based services omit the latter two components in the format /:

MSSQLSvc/s2.yunying.lab

If the service uses a non-default port or if there are multiple service instances on this host, you need to include the port number or service name:

MSSQLSvc/ s2.yunying.lab:14333 SPN scanning

After learning about Kerberos and SPN, we can use SPN to get the information we want. For example, if we want to know which hosts are installed and what services are installed in the domain, we no longer need to do batch network port scanning. There is usually more than one service registering SPN in a large domain, so you can view the services in the domain through a "SPN scan". Compared with the usual network port scanning, the advantage is that there is no need to establish a direct connection with the service host, and the concealment is higher.

(1) scanning tool

There are many scanning tools. Here are some of the more common ones to illustrate:

Use the Import-module command to load the powershell script before using it.

Discover-PSMSSQLServers:

Discover-PSMSSQLServers is a tool in the Powershell-AD-Recon toolset that is used to query SPN of type MSSQL that has been registered.

GetUserSPNs:

GetUserSPNs is a powershell script in the Kerberoast toolset that is used to query the SPN registered in the domain.

PowerView:

PowerView is a Powershell script developed by Will Schroeder (https://twitter.com/harmj0y), which is integrated in both Powersploit and Empire tools. PowerView returns more detailed information based on the objectsid of different users than the above.

There are some other scripts that use basically the same method, and you can choose the appropriate tool to use. The tool used in this article will mark the download link at the bottom of the article.

(2) explanation of principle

During SPN scanning, we can learn about the SPN content that has been registered in the intranet directly through scripts or commands. So if you want to understand how this process is implemented, you need to mention the LDAP protocol.

The full name of LDAP protocol is LightweightDirectory Access Protocol, which is generally translated into lightweight directory access protocol. Is a directory service communication protocol for querying and updating Active Directory. The AD domain service uses the LDAP named path (LDAP naming path) to represent the location of objects within the AD so that it can be used to access objects within the AD.

How LDAP data is organized:

More intuitively, LDAP protocol can be understood as a relational database, which stores all kinds of configuration information of hosts in the domain.

The ADSI editor, ActiveDirectory Service Interfaces Editor (ADSI Edit), is installed by default in the domain control, which is a LDAP editor that can be opened by running adsiedit.msc in the domain control (available on the server, but only those in the domain control have configuration information for the entire domain).

With adsiedit.msc we can modify and edit the LADP, which is actually querying the content stored in the LADP when we query the SPN.

For example, in our experimental environment domain YUNYING.LAB, there is an OU named svcserver (OrganizationUnit, which can be understood as a department, such as development department, finance department, etc.), which contains the user tsvc, from which you can see the SPN content registered by tsvc.

When we execute on a mainframe

Setspn-T yunying.lab-Q * / *

When the command queries the SPN in the domain, you can see that it is through the LDAP protocol that the contents of SPN are queried to the LDAP service installed in the domain control by grabbing the package.

So in fact, those Powershell scripts are mainly by querying the contents of LDAP and filtering the returned results, and then displaying them.

0x04 Kerberoasting

In the previous introduction to the authentication process of Kerberos, it is said that in KRB_TGS_REP, TGS returns a ticket ST to Client, while ST is encrypted by the Server password requested by Client. When the Kerberos protocol sets the ticket to be encrypted in RC4 mode, we can obtain the password of the Server side by exploding the ticket ST obtained on the Client side.

The following figure shows the encryption method for setting Kerberos, which can be set in the "Group Policy Management" of domain control:

After the setting is completed, enter "gpupdate" in the run to refresh the group policy, and the policy takes effect.

1 early Kerberoasting

The attack method of Kerberoasting should be proposed by TimMedin (https://twitter.com/TimMedin). Let's demonstrate it through experiments.

Experimental environment:

Domain: YUNYING.LAB

Domain control: WindowsServer 2008 R2 x64 (DC)

Domain host: Windows7 x64 (S1): user ts1

Intra-domain host: Windows Server2008 R2 x64 (S2): user tsvc

Required tools:

Kerberoast toolkit

Mimikatz

Attack flow:

First, SPN scanning is carried out in the host S1 in the domain through the GetUserSPNs.ps1 in Kerberoast.

You can also use the GetUserSPNs.vbs tool.

Second, according to the scanning results, use the similar KerberosRequestorSecurityToken provided by Microsoft to initiate the kerberos request and apply for the ST ticket.

(for details of this class, please refer to https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?redirectedfrom=MSDN&view=netframework-4.7.2.)

PS C:\ > Add-Type-AssemblyNameSystem.IdentityModelPS C:\ > New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken-ArgumentList "MSSQLSvc/s2:1433"

You can see that this process obtains the RC4 encrypted ticket through the four authentication processes of AS-REQ, AS-REP, TGS-REQ and TGS-REP.

Third, the ticket requested in the Kerberos protocol is saved in memory, and the kerberos ticket stored in the current session can be viewed through the klist command.

Export using mimikatz.

Use the tgsrepcrack.py tool in the kerberoast toolset to blow up offline, and successfully get the password of the tsvc account admin1234!

2 the "new posture" of Kerberoasting

Experimental environment:

Domain: YUNYING.LAB

Domain control: WindowsServer 2008 R2 x64 (DC)

Domain host: Windows7 x64 (S1): user ts1

Intra-domain host: WindowsServer 2008 R2 x64 (S2): user tsvc

Required tools:

Invoke-Kerberoast.ps1

HashCat

Attack flow:

In the previous Kerberoasting, you needed to export the ticket from memory through mimikatz, and Invoke-Kerberoast extracted the original bytes of the bill transmission and converted it into a string that John the Ripper or HashCat could directly burst.

The environment remains the same, and the Invoke-Kerberoast script is used on the S1 host (Invoke-Kerberoast.ps1 in Empire is used here).

Invoke-kerberoast-outputformat hashcat | fl

Here, the-outputformat parameter can specify the format of the output. You can choose two formats: John the Ripper and Hashcat, which are demonstrated here in Hashcat.

This script requests access to MSSQLSvc/s2.yunying.lab:1433, the SPN. Looking at the packet, you can see that the Hash value of the Invoke-Kerberoast output is the content of the ticket returned in TGS-REP, and then spliced into a format that Hashcat can directly burst (starting with $krb5tgs$23*).

Save the content to a document, or redirect it directly to the TXT file:

PS C: > Invoke-Kerberoast-Outputformat Hashcat | fl > test1.txt

Second, use HASHCAT tools to crack:

PSC: > hashcat64.exe-m 13100 test1.txt password.list-- force

You can see that it has been successfully cracked offline, and the password admin1234 of S2 has been output. Here-m means to choose a different encryption type, where 13100 corresponds to Kerberos 5 TGS-REP type ciphertext.

There are many types of Hashcat blasting, such as NTLM HASH and so on. For more types of Hashcat, please refer to: https://hashcat.net/wiki/doku.php?id=example_hashes

3. The realization of Invoke-kerberoast

The first time to conduct this experiment is to search Invoke-kerberoast directly on GitHub. At that time, I downloaded the address of https://github.com/malachitheninja/Invoke-Kerberoast, but after downloading, I found that the tool for this address could not be used properly. Looking at the code, I found that there was a problem with the format of the string concatenation, and the output did not conform to the format of Hashcat. Then I directly used the Invoke-kerberoast.ps1 script in Empire (download address: https://github.com/EmpireProject/Empire). Let's take this script to illustrate.

In Invoke-kerberoast, you can see the main flow of script execution through two key functions, one is function Invoke-Kerberoast {} and the other is functionGet-DomainSPNTicket {}.

First of all, the contents stored in the LDAP libraries of all users in the group are queried through the function Get-DomainUser in the script in the Invoke-Kerberoast function, and the krbtgt is removed and passed to Get-DomainSPNTicket through the pipe character.

The value of the Get-DomainUser output (- erroraction "Silentlycontinue" eliminates the scarlet letter alarm in powershell or can be removed directly):

The function Get-DomainSPNTicket extracts the value of the SPN (ServicePrincipalName) field after receiving the output of Get-DomainUser, and then takes the first of these values to assign to the variable UserSPN. We add the echo statement to the code, and then execute it. We can see that this time the result selects the first MSSQLSvc/s2:SQLEXPRESS in the SPN list.

The kerberos request is initiated through the GetRequest () function of the KerberosRequestorSecurityToken class. The bill content is then extracted by matching the return value.

The value of the extracted ticket is combined into the format required by Hashcat and assigned to the variable HashFormat, which is the value that we can eventually burst with Hashcat or John theRipper.

Similarly, the variable $Etype in the above box has a value of 23, which is actually the code name of the RC4 encryption algorithm.

To sum up, the essence of Kerberoasting is to obtain the password by cracking the bill content returned by TGS to Client in the process of KRB_TGS_REP in the Kerberos authentication process, and this way is offline blasting, and the process is more hidden.

This is the answer to the question about the basic principles of kerberos and what is the content of SPN scanning. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.