Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you an example analysis of Kerberoasting attacks. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

0x01 introduction

When releasing Windows 2000 and Active Directory, Microsoft intends to support Active Directory on Windows NT and Windows 95, which means not only a variety of security issues but also more insecure configurations. At the same time, it also means that Microsoft needs to ensure that the Kerberos protocol is supported on several different versions of Windows clients. A simple way to implement this idea is to use the RC4 encryption algorithm in the Kerberos protocol and use the NTLM password hash as the private key of the encryption algorithm, which can be used to encrypt or sign Kerberos tickets. Therefore, for attackers, once a NTLM password hash is found, it can be used at will, including regaining Active Directory domain permissions (such as golden ticket and silver ticket attacks).

0x02 Kerberos communication flow

Here, let's learn from the communication flow of Kerberos given on the Internet.

The user logs in with a user name and password

1a. Convert the original plaintext password to a NTLM hash, and then encrypt the hash with the timestamp. Finally, the encrypted result is sent as an authenticator to the KDC to authenticate the ticket (TGT) request (AS-REQ).

1b. Domain control (KDC) checks user information (login restrictions, group members, etc.) and creates ticket authorization tickets (Ticket Granting Ticket-TGT).

two。 Encrypt, sign and return the TGT to the user (AS-REP). Only Kerberos services (KRBTGT) in the domain can open and read TGT data.

3. When a user requests a ticket Authorization Service (TGS) ticket (TGS-REQ), the TGT is sent to DC. DC opens the TGT and verifies the PAC checksum-if the DC can open the ticket and the checksum can also be verified, then the TGT is valid. After that, the data in the TGT is copied and used to create the TGS ticket.

4. Encrypt the TGS using the NTLM password hash of the target service account and send the encryption result to the user (TGS-REP).

5. The user connects to the appropriate port of the server-hosted service and sends TGS (AP-REQ) to the server. The managed service uses the NTLM password hash of the service account to open the TGS ticket.

6. This is done if clients need to authenticate each other (think of MS15-011: the enhanced UNC Group Policy patch released in February).

In the fourth step, the user will receive the TGS generated by the NTLM hash encryption of the target service instance, and his encryption algorithm is RC4-HMAC. After we get this TGS, we can use exhaustive methods to generate a TGS to compare with it. If it is the same, it means that the password is correct.

Then there are a few points that you need to understand.

1. When a domain controller queries the SPN of a service

If the SPN is registered under the machine account computers, the servicePrincipalName attribute of all machine accounts will be queried to find the corresponding account.

If you are registered under the domain user account users, the servicePrincipalName attribute of all domain user accounts will be queried to find their corresponding accounts.

After finding the corresponding account, use its NTLM hash to generate TGS.

two。 All hosts in the domain can query SPN.

3. Any user in the domain can request TGS from any service in the domain

Therefore, any host in the domain can query SPN, request TGS from all the services in the domain, and then violently crack it, but for the plaintext cracked, only the domain user's can be used, and the machine account cannot be used for remote connections, so our focus is mainly on the SPN registered under the domain user.

0x03 experiment

First of all, let's log in to the server.

Domain-controlled 192.168.5.130Administrator/secquan.org666

Win7192.168.5.238 machine account SECQUAN_WIN7-PC\ secquan_win7 machine password secquan.org666 domain user account ZHUJIAN\ Win7 domain user password secquan.org123

We use the following command to query

Setspn-Q * / *

Next, let's register SPN for the MSSQL service under the domain user

Setspn-A MSSQLSvc/SECQUAN_WIN7-PC.zhujian.com zhujian\ win7

Then request SPN Kerberos Tickets

Add-Type-AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken-ArgumentList "MSSQLSvc/SECQUAN_WIN7-PC.zhujian.com"

One more entry than before, and the encryption type is RC4-HMAC

Then use mimikatz to export the ticket

Then you can use tgsrepcrack or save hash to use hashcat to crack

Here we use tgsrepcrack for testing

Python tgsrepcrack.py mima.txt 1-40a00000-win7@MSSQLSvc~SECQUAN_WIN7-PC.zhujian.com-ZHUJIAN.COM.kirbi

It can be found that the password has been successfully exploded.

PS: the methods for using other tools are similar, the tools are all the same, and the emphasis is on dictionaries.

0x04 kerberoasting backdoor utilization

If we have the right to register with SPN, we can register a SPN for the specified domain user, get the TGS, and then crack the password.

The above is the example analysis of the Kerberoasting attack shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.