πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Search…
πŸ““
πŸ““
πŸ““
πŸ““
Red Team Notes 2.0
Introduction
Red Team
Red Team Techniques
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Active Directory
Active Directory
Active Directory Attacks
Kerberoasting
Unconstrained Delegation
Constrained Delegation
DCSync
Golden Tickets
Silver Tickets
Skeleton Keys
Active Directory Certificate Services
NTLMRelay
AS-REP Roasting
Red Team Infrastructure
RED TEAM INFRASTRUCTURE
Domain Name and Categorization
Reconnaissance
Weaponization
Delivery
Situational Awareness
Credential Dumping
Persistence
Defense Evasion
Privilege Escalation
Lateral Movement
Powered By GitBook
Kerberoasting
You have an SPN service/user the attack works because by default any domain user can request a Ticket to these user's/services the Kerberos grant's a ticket, this ticket is later stored in memory and you can grab this ticket, save it offline and crack the hash file to gain clear-text credentials.
Tim Medin presented at DerbyCon 2014 a tool called Kerberoast which cracks Kerberoast TGS tickets, He determined that possession of a TGS service ticket encrypted with the RC4 provides the opportunity to take the ticket to a password cracking computer (or cloud system) and attempt to crack the service account's password. How does this work? Since the TGS Kerberos ticket is encrypted with the RC4 encryption, that means the service account's password hash is used to encrypt the ticket. The cracking system loops through converts to NTLM, and attempts to open the TGS ticket. If the TGS ticket is opened, we know the clear text password and the NTLM password for the account.
In Summary
Kerberoasting abuses traits of the Kerberos protocol to harvest password hashes for Active Directory user accounts with serviceprincipalName (SPN) values (i.e. service accounts). A user is allowed to request a ticket-granting service (TGS) ticket for any SPN, and parts of the TGS may be encrypted with the RC4 using the password hash of the service account assigned the requested SPN as the key.
An adversary who can extract the TGS ticket from memory, or capture them by sniffing network traffic, can extract the service account's password hash and attempt an offline brute force attack to obtain the plaintext password.
Attack
The setup for this attack can be viewed here​
Now will use a few methods to search for any Kerberoastable Users. This can be done with any domain user this attack is abused since any domain user can request a ticket for an SPN account we verify our domain account
I will use Rubeus to locate Kerberoastable user's an OPSEC tactic to consider is using the /stats parameter this will only search for Kerberoastable Users on the current domain without requesting a Ticket to the DC.
Rubeus kerberoast /stats
We can Enumerate the specific users of the Domain that are available for Kerberoast, the following command will enumerate users with a Service Principal Name.
SharpView.exe Get-DomainUser -SPN
Now we can request the ticket from the users and choose the format-specific for our cracking tool which this preference would be hashcat
Rubeus kerberoast /domain:DominionCyber.local /user:jnovoa /nowrap
Now with this available, we can crack the password offline utilizing hashcat, once sent to our cracking rig we can use wordlists to attack this hash and try cracking it with this one we managed to get the password by utilizing the RockYou wordlist with a ruleset.
hashcat.exe -m 13100 -a 0 hashes wordlist
Active Directory - Previous
Active Directory Attacks
Next
Unconstrained Delegation
Last modified 28d ago
Copy link