Kerberoasting - Cooking with Fire
Kerberoasting - from Linux
Our enumeration up to this point has given us a broad picture of the domain and potential issues. We have enumerated user accounts and can see that some are configured with Service Principal Names. Let's see how we can leverage this to move laterally and escalate privileges in the target domain.
Kerberoasting Overview
Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments. This attack targets Service Principal Names (SPN) accounts.
SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running.
Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE. Any domain user can request a Kerberos ticket for any service account in the same domain. This is also possible across forest trusts if authentication is permitted across the trust boundary.
All you need to perform a Kerberoasting attack is an account's cleartext password (or NTLM hash), a shell in the context of a domain user account, or SYSTEM level access on a domain-joined host.
Finding SPNs associated with highly privileged accounts in a Windows environment is very common. Retrieving a Kerberos ticket for an account with an SPN does not by itself allow you to execute commands in the context of this account. However, the ticket (TGS-REP) is encrypted with the service account’s NTLM hash, so the cleartext password can potentially be obtained by subjecting it to an offline brute-force attack with a tool such as Hashcat.
Service accounts are often configured with weak or reused password to simplify administration, and sometimes the password is the same as the username. If the password for a domain SQL Server service account is cracked, you are likely to find yourself as a local admin on multiple servers, if not Domain Admin
For example, if the SPN is set to MSSQL/SRV01, we can access the MSSQL service as sysadmin, enable the xp_cmdshell extended procedure and gain code execution on the target SQL server.
Kerberoasting - Performing the Attack
Depending on your position in a network, this attack can be performed in multiple ways:
From a non-domain joined Linux host using valid domain user credentials.
From a domain-joined Linux host as root after retrieving the keytab file.
From a domain-joined Windows host authenticated as a domain user.
From a domain-joined Windows host with a shell in the context of a domain account.
As SYSTEM on a domain-joined Windows host.
From a non-domain joined Windows host using runas /netonly.
Several tools can be utilized to perform the attack:
Impacket’s GetUserSPNs.py from a non-domain joined Linux host.
A combination of the built-in setspn.exe Windows binary, PowerShell, and Mimikatz.
From Windows, utilizing tools such as PowerView, Rubeus, and other PowerShell scripts.
Obtaining a TGS ticket via Kerberoasting does not guarantee you a set of valid credentials, and the ticket must still be cracked offline with a tool such as Hashcat to obtain the cleartext password.
TGS tickets take longer to crack than other formats such as NTLM hashes, so often, unless a weak password is set, it can be difficult or impossible to obtain the cleartext using a standard cracking rig.
Efficacy of the Attack
While it can be a great way to move laterally or escalate privileges in a domain, Kerberoasting and the presence of SPNs do not guarantee us any level of access.
If cracking is successful High risk. If cracking is not successful Medium risk (passwords can always be changed to something weaker)
It is vital to make these types of distinctions in our reports and know when it's ok to lower the risk of a finding when mitigating controls (such as very strong passwords) are in place.
Performing the Attack
We can start by just gathering a listing of SPNs in the domain. To do this, we will need a set of valid domain credentials and the IP address of a Domain Controller. We can authenticate to the Domain Controller with a cleartext password, NT password hash, or even a Kerberos ticket.
Listing SPN Accounts with GetUserSPNs.py
We can now pull all TGS tickets for offline processing using the -request flag. The TGS tickets will be output in a format that can be readily provided to Hashcat or John the Ripper for offline password cracking attempts.
Requesting all TGS Tickets
We can also be more targeted and request just the TGS ticket for a specific account. Let's try requesting one for just the sqldev account.
Requesting a Single TGS ticket
With this ticket in hand, we could attempt to crack the user's password offline using Hashcat. If we are successful, we may end up with Domain Admin rights.
To facilitate offline cracking, it is always good to use the -outputfile flag to write the TGS tickets to a file that can then be run using Hashcat on our attack system or moved to a GPU cracking rig.
Saving the TGS Ticket to an Output File
Here we've written the TGS ticket for the sqldev user to a file named sqldev_tgs. Now we can attempt to crack the ticket offline using Hashcat hash mode 13100.
Cracking the Ticket Offline with Hashcat
Testing Authentication against a Domain Controller
Kerberoasting - from Windows
Before tools such as Rubeus existed, stealing or forging Kerberos tickets was a complex, manual process.
Let's begin with the built-in setspn binary to enumerate SPNs in the domain.
Enumerating SPNs with setspn.exe
We will notice many different SPNs returned for the various hosts in the domain. We will focus on user accounts and ignore the computer accounts returned by the tool.
Next, using PowerShell, we can request TGS tickets for an account in the shell above and load them into memory. Once they are loaded into memory, we can extract them using Mimikatz.
Before moving on, let's break down the commands above to see what we are doing (which is essentially what is used by Rubeus when using the default Kerberoasting method):
The Add-Type cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object
The
-AssemblyNameparameter allows us to specify an assembly that contains types that we are interested in usingSystem.IdentityModel is a namespace that contains different classes for building security token services
We'll then use the New-Object cmdlet to create an instance of a .NET Framework object
We'll use the System.IdentityModel.Tokens namespace with the KerberosRequestorSecurityToken class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session
We can also choose to retrieve all tickets using the same method, but this will also pull all computer accounts, so it is not optimal.
Now that the tickets are loaded, we can use Mimikatz to extract the ticket(s) from memory.
Extracting Tickets from Memory with Mimikatz
If we do not specify the base64 /out:true command, Mimikatz will extract the tickets and write them to .kirbi files. Depending on our position on the network and if we can easily move files to our attack host, this can be easier when we go to crack the tickets. Let's take the base64 blob retrieved above and prepare it for cracking.
Preparing the Base64 Blob for Cracking
We can place the above single line of output into a file and convert it back to a .kirbi file using the base64 utility.
Placing the Output into a File as .kirbi
Next, we can use this version of the kirbi2john.py tool to extract the Kerberos ticket from the TGS file.
Extracting the Kerberos Ticket using kirbi2john.py
This will create a file called crack_file. We then must modify the file a bit to be able to use Hashcat against the hash.
Modifiying crack_file for Hashcat
Now we can check and confirm that we have a hash that can be fed to Hashcat.
Viewing the Prepared Hash
We can then run the ticket through Hashcat
Cracking the Hash with Hashcat
Automated / Tool Based Route
Next, we'll cover two much quicker ways to perform Kerberoasting from a Windows host. First, let's use PowerView to extract the TGS tickets and convert them to Hashcat format. We can start by enumerating SPN accounts.
Using PowerView to Extract TGS Tickets
From here, we could target a specific user and retrieve the TGS ticket in Hashcat format.
Finally, we can export all tickets to a CSV file for offline processing.
Exporting All Tickets to a CSV File
Viewing the Contents of the .CSV File
We can also use Rubeus from GhostPack to perform Kerberoasting even faster and easier. Rubeus provides us with a variety of options for performing Kerberoasting.
Some options include:
Performing Kerberoasting and outputting hashes to a file
Using alternate credentials
Performing Kerberoasting combined with a pass-the-ticket attack
Performing "opsec" Kerberoasting to filter out AES-enabled accounts
Requesting tickets for accounts passwords set between a specific date range
Placing a limit on the number of tickets requested
Performing AES Kerberoasting
We can first use Rubeus to gather some stats. From the output below, we can see that there are nine Kerberoastable users, seven of which support RC4 encryption for ticket requests and two of which support AES 128/256. More on encryption types later. We also see that all nine accounts had their password set this year (2022 at the time of writing). If we saw any SPN accounts with their passwords set 5 or more years ago, they could be promising targets as they could have a weak password that was set and never changed when the organization was less mature.
Let's use Rubeus to request tickets for accounts with the admincount attribute set to 1.
Be sure to specify the /nowrap flag so that the hash can be more easily copied down for offline cracking using Hashcat.
A Note on Encryption Types
Kerberoasting tools typically request RC4 encryption when performing the attack and initiating TGS-REQ requests. This is because RC4 is weaker and easier to crack offline using tools such as Hashcat than other encryption algorithms such as AES-128 and AES-256. When performing Kerberoasting in most environments, we will retrieve hashes that begin with $krb5tgs$23$*, an RC4 (type 23) encrypted ticket.
Sometimes we will receive an AES-256 (type 18) encrypted hash or hash that begins with $krb5tgs$18$*. While it is possible to crack AES-128 (type 17) and AES-256 (type 18) TGS tickets using Hashcat, it will typically be significantly more time consuming than cracking an RC4 (type 23) encrypted ticket, but still possible especially if a weak password is chosen. Let's walk through an example.
Checking Supported Encryption Types
AES-256 (type 18): Kerberos 5, etype 18, TGS-REP (AES256-CTS-HMAC-SHA1-96)
We can use Rubeus with the /tgtdeleg flag to specify that we want only RC4 encryption when requesting a new service ticket.
This does not work against a Windows Server 2019 Domain Controller, regardless of the domain functional level. It will always return a service ticket encrypted with the highest level of encryption supported by the target account. This being said, if we find ourselves in a domain with Domain Controllers running on Server 2016 or earlier (which is quite common), enabling AES will not partially mitigate Kerberoasting by only returning AES encrypted tickets, which are much more difficult to crack, but rather will allow an attacker to request an RC4 encrypted service ticket. In Windows Server 2019 DCs, enabling AES encryption on an SPN account will result in us receiving an AES-256 (type 18) service ticket, which is substantially more difficult (but not impossible) to crack, especially if a relatively weak dictionary password is in use.
It is possible to edit the encryption types used by Kerberos. This can be done by opening Group Policy, editing the Default Domain Policy, and choosing: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, then double-clicking on Network security: Configure encryption types allowed for Kerberos and selecting the desired encryption type allowed for Kerberos.
Mitigation & Detection
An important mitigation for non-managed service accounts is to set a long and complex password or passphrase that does not appear in any word list and would take far too long to crack.
However, it is recommended to use Managed Service Accounts (MSA), and Group Managed Service Accounts (gMSA), which use very complex passwords, and automatically rotate on a set interval (like machine accounts) or accounts set up with LAPS.
When Kerberoasting is occurring in the environment, we will see an abnormal number of TGS-REQ and TGS-REP requests and responses, signaling the use of automated Kerberoasting tools. Domain controllers can be configured to log Kerberos TGS ticket requests by selecting Audit Kerberos Service Ticket Operations within Group Policy.
Doing so will generate two separate event IDs: 4769: A Kerberos service ticket was requested, and 4770: A Kerberos service ticket was renewed.
10-20 Kerberos TGS requests for a given account can be considered normal in a given environment. A large amount of 4769 event IDs from one account within a short period may indicate an attack.
Some other remediation steps include restricting the use of the RC4 algorithm, particularly for Kerberos requests by service accounts. This must be tested to make sure nothing breaks within the environment. Furthermore, Domain Admins and other highly privileged accounts should not be used as SPN accounts (if SPN accounts must exist in the environment).
Last updated
