AD - Kerberoasting Attacks
overview
Description
Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”).
In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN. The retrieved Kerberos ticket is encrypted with the hash of the service account password affiliated with the SPN. (An SPN is an attribute that ties a service to a user account within the AD). The adversary then works offline to crack the password hash, often using brute force techniques.
Once the plaintext credentials of the service account are obtained, the adversary can impersonate the account owner and inherit access to any systems, assets or networks granted to the compromised account.
Reference: https://www.crowdstrike.com/cybersecurity-101/kerberoasting/#:~:text=Kerberoasting%20is%20a%20post%2Dexploitation,Kerberos%20ticket%20for%20an%20SPN
Tasks
Lab Environment
In this lab environment, GUI access to a Domain User called Research/Student on a Windows Server 2012 machine, which serves as your workstation. The workstation is vulnerable to Kerberoasting attack.
Your task is to identify accounts that have a Service Principal Name (“SPN”) enabled, allowing the attacker to request TGS tickets and extract the password hashes. By exploiting this, you will aim to gain the cracked password for the identified account helping us to compromise data or escalate privileges in the Active Directory environment.
Objective: Identify user accounts with Service Principal Name (SPN) enabled, perform a Kerberoasting attack to extract password hashes, and use the cracked password to compromise data or escalate privileges within the Active Directory.
Below are the tasks that you need to perform:
Task 1: Identify user accounts with Service Principal Name (SPN) enabled.
Task 2: Request a TGS ticket for the specified SPN using Kerberos.
Task 3: Crack the password from the TGS ticket using Tgsrepcrack.
Tools
The best tools for this lab are:
PowerView
Invoke-Mimikatz
Kerberoasting
Tgsrepcrack
Solution
Step 1: Open the lab link to access the following:
Workstation
Task 1: Identify user accounts with Service Principal Name (SPN) enabled.
What is Powerview?
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various Windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
Reference: https://powersploit.readthedocs.io/en/latest/Recon/#powerview
It seems like we have a directory called C:\Tools that contains the necessary tools for enumeration and exploitation.
Note: Run powershell as administrator.
Step 1: Change the directory to C:\Tools by running the following command.
Command:
The directory changed to C:\Tools.
Step 2: Enable execution policy bypass and import the PowerView module.
Command:
This command starts a new PowerShell session with the execution policy bypassed, allowing you to run scripts that may otherwise be blocked.
The dot is followed by a space and the script's path (.\PowerView.ps1) executes the script within the current PowerShell session. Ensure that the PowerView.ps1 script is located in the current directory (C:\Tools).
Step 3: Enumerate servicePrincipalNames.
What is SPN?
Service Principal Names (SPNs) are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.
In a Kerberoasting attack, an adversary may target as many service accounts as possible or conduct internal reconnaissance to find specific service accounts with the privileges they desire. In either case, the attacker needs to enumerate the servicePrincipalNames (SPNs) for the service accounts being targeted.
The following PowerShell command will fetch all the users from the network and filters out those with SPN enabled:
Command:
The setspn command is used to manage the SPN directory property for an Active Directory service account. This command allows us to find all SPNs that are registered to an account, across all of the domains in the forest:
Step 4: Review Kerberos tickets
Command:
The command klist is used here to list all the Kerberos tickets of the current user session. Kerberos tickets are used in the Kerberos authentication protocol to prove identity for network interactions.
Task 2: Request a TGS ticket for the specified SPN using Kerberos.
Step 5: Initiate a TGS Ticket Request
The following command adds the assembly System.IdentityModel to the current PowerShell session and creates a new object of type KerberosRequestorSecurityToken. This is part of the .NET framework and is used to request a Kerberos Ticket Granting Service (TGS) ticket for the specified Service Principal Name (SPN).
Command:
The command Add-Type -AssemblyName System.IdentityModel loads the .NET assembly System.IdentityModel into the current PowerShell session. This assembly contains the System.IdentityModel.Tokens.KerberosRequestorSecurityToken class, which can request a Kerberos Ticket Granting Service (TGS) ticket for the specified Service Principal Name (SPN).
Step 6: Export Kerberos Tickets
In this step, you use the Invoke-Mimikatz command to run the Mimikatz tool. The argument '"kerberos::list /export"' passed to the Invoke-Mimikatz command lists all Kerberos tickets and exports them for further use.
Mimikatz, a well-known security tool, is invoked here with the command kerberos::list /export which is used to list and export all Kerberos tickets. This is particularly useful in Kerberoasting as it provides the Kerberos tickets required to attempt to crack the password.
Command:
After exporting the tickets, you can display the name of the exported file using ls | select name.
Command:
Extracted ticket: 1-40a10000-student@ops~research.SECURITY.local~1434-RESEARCH.SECURITY.LOCAL.kirbi
Task 3: Crack the password from the TGS ticket using Tgsrepcrack.
Step 7: Use Tgsrepcrack to crack the password
In this step, you use the Python-based Tgsrepcrack tool to crack the password from the TGS ticket. The command specifies a list of possible weak passwords (10k-worst-pass.txt) and the path to the TGS ticket file.
Command:
This command runs the Python script tgsrepcrack.py that uses the list of weak passwords (10k-worst-pass.txt) to attempt to crack the password encrypted in the TGS ticket file (1-40a10000-student@ops~research.SECURITY.local~1434-RESEARCH.SECURITY.LOCAL.kirbi). The script will display the cracked password once it's successful.
After the script is executed, the cracked password is displayed, which is maverick in this instance. This illustrates the risk of using weak passwords and their vulnerability to password cracking tools and techniques. With the plaintext password, the attacker can authenticate to any resources the service account has access to, helping them to compromise data or escalate privileges.
Conclusion
In this lab, we explored Kerberoasting and its exploitation in an Active Directory environment. We used a set of tools and commands to identify users with SPN, requested and exported a TGS ticket, and finally used a script to crack the password from the ticket. This process shows how attackers can potentially exploit weak passwords in a Kerberos-based authentication system, emphasizing the need for strong password policies in an organizational environment.
References:
Last updated