Kerberoasting - Cooking with Fire
Last updated
Last updated
Our enumeration up to this point has given us a broad picture of the domain and potential issues. We have enumerated user accounts and can see that some are configured with Service Principal Names. Let's see how we can leverage this to move laterally and escalate privileges in the target domain.
Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments. This attack targets accounts.
SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running.
Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE. Any domain user can request a Kerberos ticket for any service account in the same domain. This is also possible across forest trusts if authentication is permitted across the trust boundary.
All you need to perform a Kerberoasting attack is an account's cleartext password (or NTLM hash), a shell in the context of a domain user account, or SYSTEM level access on a domain-joined host.
Finding SPNs associated with highly privileged accounts in a Windows environment is very common. Retrieving a Kerberos ticket for an account with an SPN does not by itself allow you to execute commands in the context of this account. However, the ticket (TGS-REP) is encrypted with the service account’s NTLM hash, so the cleartext password can potentially be obtained by subjecting it to an offline brute-force attack with a tool such as Hashcat.
Service accounts are often configured with weak or reused password to simplify administration, and sometimes the password is the same as the username. If the password for a domain SQL Server service account is cracked, you are likely to find yourself as a local admin on multiple servers, if not Domain Admin
For example, if the SPN is set to MSSQL/SRV01, we can access the MSSQL service as sysadmin, enable the xp_cmdshell extended procedure and gain code execution on the target SQL server.
Depending on your position in a network, this attack can be performed in multiple ways:
From a non-domain joined Linux host using valid domain user credentials.
From a domain-joined Linux host as root after retrieving the keytab file.
From a domain-joined Windows host authenticated as a domain user.
From a domain-joined Windows host with a shell in the context of a domain account.
As SYSTEM on a domain-joined Windows host.
From a non-domain joined Windows host using /netonly.
Several tools can be utilized to perform the attack:
A combination of the built-in setspn.exe Windows binary, PowerShell, and Mimikatz.
Obtaining a TGS ticket via Kerberoasting does not guarantee you a set of valid credentials, and the ticket must still be cracked offline with a tool such as Hashcat to obtain the cleartext password.
TGS tickets take longer to crack than other formats such as NTLM hashes, so often, unless a weak password is set, it can be difficult or impossible to obtain the cleartext using a standard cracking rig.
While it can be a great way to move laterally or escalate privileges in a domain, Kerberoasting and the presence of SPNs do not guarantee us any level of access.
If cracking is successful High risk. If cracking is not successful Medium risk (passwords can always be changed to something weaker)
It is vital to make these types of distinctions in our reports and know when it's ok to lower the risk of a finding when mitigating controls (such as very strong passwords) are in place.
We can start by just gathering a listing of SPNs in the domain. To do this, we will need a set of valid domain credentials and the IP address of a Domain Controller. We can authenticate to the Domain Controller with a cleartext password, NT password hash, or even a Kerberos ticket.
Listing SPN Accounts with GetUserSPNs.py
We can now pull all TGS tickets for offline processing using the -request flag. The TGS tickets will be output in a format that can be readily provided to Hashcat or John the Ripper for offline password cracking attempts.
Requesting all TGS Tickets
We can also be more targeted and request just the TGS ticket for a specific account. Let's try requesting one for just the sqldev account.
Requesting a Single TGS ticket
With this ticket in hand, we could attempt to crack the user's password offline using Hashcat. If we are successful, we may end up with Domain Admin rights.
To facilitate offline cracking, it is always good to use the -outputfile flag to write the TGS tickets to a file that can then be run using Hashcat on our attack system or moved to a GPU cracking rig.
Saving the TGS Ticket to an Output File
Here we've written the TGS ticket for the sqldev user to a file named sqldev_tgs. Now we can attempt to crack the ticket offline using Hashcat hash mode 13100.
Cracking the Ticket Offline with Hashcat
Testing Authentication against a Domain Controller
Before tools such as Rubeus existed, stealing or forging Kerberos tickets was a complex, manual process.
Enumerating SPNs with setspn.exe
We will notice many different SPNs returned for the various hosts in the domain. We will focus on user accounts and ignore the computer accounts returned by the tool.
Next, using PowerShell, we can request TGS tickets for an account in the shell above and load them into memory. Once they are loaded into memory, we can extract them using Mimikatz.
The -AssemblyName parameter allows us to specify an assembly that contains types that we are interested in using
We can also choose to retrieve all tickets using the same method, but this will also pull all computer accounts, so it is not optimal.
Now that the tickets are loaded, we can use Mimikatz to extract the ticket(s) from memory.
If we do not specify the base64 /out:true command, Mimikatz will extract the tickets and write them to .kirbi files. Depending on our position on the network and if we can easily move files to our attack host, this can be easier when we go to crack the tickets. Let's take the base64 blob retrieved above and prepare it for cracking.
Preparing the Base64 Blob for Cracking
We can place the above single line of output into a file and convert it back to a .kirbi file using the base64 utility.
Placing the Output into a File as .kirbi
Extracting the Kerberos Ticket using kirbi2john.py
This will create a file called crack_file. We then must modify the file a bit to be able to use Hashcat against the hash.
Modifiying crack_file for Hashcat
Now we can check and confirm that we have a hash that can be fed to Hashcat.
Viewing the Prepared Hash
We can then run the ticket through Hashcat
Cracking the Hash with Hashcat
Using PowerView to Extract TGS Tickets
From here, we could target a specific user and retrieve the TGS ticket in Hashcat format.
Finally, we can export all tickets to a CSV file for offline processing.
Exporting All Tickets to a CSV File
Viewing the Contents of the .CSV File
Some options include:
Performing Kerberoasting and outputting hashes to a file
Using alternate credentials
Performing Kerberoasting combined with a pass-the-ticket attack
Performing "opsec" Kerberoasting to filter out AES-enabled accounts
Requesting tickets for accounts passwords set between a specific date range
Placing a limit on the number of tickets requested
Performing AES Kerberoasting
We can first use Rubeus to gather some stats. From the output below, we can see that there are nine Kerberoastable users, seven of which support RC4 encryption for ticket requests and two of which support AES 128/256. More on encryption types later. We also see that all nine accounts had their password set this year (2022 at the time of writing). If we saw any SPN accounts with their passwords set 5 or more years ago, they could be promising targets as they could have a weak password that was set and never changed when the organization was less mature.
Let's use Rubeus to request tickets for accounts with the admincount attribute set to 1.
Be sure to specify the /nowrap flag so that the hash can be more easily copied down for offline cracking using Hashcat.
Checking Supported Encryption Types
AES-256 (type 18): Kerberos 5, etype 18, TGS-REP (AES256-CTS-HMAC-SHA1-96)
We can use Rubeus with the /tgtdeleg flag to specify that we want only RC4 encryption when requesting a new service ticket.
It is possible to edit the encryption types used by Kerberos. This can be done by opening Group Policy, editing the Default Domain Policy, and choosing: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, then double-clicking on Network security: Configure encryption types allowed for Kerberos and selecting the desired encryption type allowed for Kerberos.
An important mitigation for non-managed service accounts is to set a long and complex password or passphrase that does not appear in any word list and would take far too long to crack.
10-20 Kerberos TGS requests for a given account can be considered normal in a given environment. A large amount of 4769 event IDs from one account within a short period may indicate an attack.
Some other remediation steps include restricting the use of the RC4 algorithm, particularly for Kerberos requests by service accounts. This must be tested to make sure nothing breaks within the environment. Furthermore, Domain Admins and other highly privileged accounts should not be used as SPN accounts (if SPN accounts must exist in the environment).
In bloodhound
Impacket’s from a non-domain joined Linux host.
From Windows, utilizing tools such as PowerView, , and other PowerShell scripts.
Let's begin with the built-in binary to enumerate SPNs in the domain.
Before moving on, let's break down the commands above to see what we are doing (which is essentially what is used by when using the default Kerberoasting method):
The cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object
is a namespace that contains different classes for building security token services
We'll then use the cmdlet to create an instance of a .NET Framework object
We'll use the namespace with the class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session
Next, we can use version of the kirbi2john.py tool to extract the Kerberos ticket from the TGS file.
Next, we'll cover two much quicker ways to perform Kerberoasting from a Windows host. First, let's use to extract the TGS tickets and convert them to Hashcat format. We can start by enumerating SPN accounts.
We can also use from GhostPack to perform Kerberoasting even faster and easier. Rubeus provides us with a variety of options for performing Kerberoasting.
Kerberoasting tools typically request RC4 encryption when performing the attack and initiating TGS-REQ requests. This is because RC4 is and easier to crack offline using tools such as Hashcat than other encryption algorithms such as AES-128 and AES-256. When performing Kerberoasting in most environments, we will retrieve hashes that begin with $krb5tgs$23$*, an RC4 (type 23) encrypted ticket.
Sometimes we will receive an AES-256 (type 18) encrypted hash or hash that begins with $krb5tgs$18$*. While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using , it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket, but still possible especially if a weak password is chosen. Let's walk through an example.
However, it is recommended to use , and , which use very complex passwords, and automatically rotate on a set interval (like machine accounts) or accounts set up with LAPS.
When Kerberoasting is occurring in the environment, we will see an abnormal number of TGS-REQ and TGS-REP requests and responses, signaling the use of automated Kerberoasting tools. Domain controllers can be configured to log Kerberos TGS ticket requests by selecting within Group Policy.
Doing so will generate two separate event IDs: : A Kerberos service ticket was requested, and : A Kerberos service ticket was renewed.
