Kerberosting
Last updated
Last updated
Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.
When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.
In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service.
Most of the time you will need an active account on the domain in order to initial Kerberoast, but if the DC is configured with UserAccountControl setting “Do not require Kerberos preauthentication” enabled, it is possible to request and receive a ticket to crack without a valid account on the domain.
Now let's get the SPNs. The script identified a user, Administrator:
So, we have a ticket. Now, lets crack it with john.
We also have another script in Impacket that we can directly run without providing username and we get the hash.
If we have potential usernames, we can also use that wordlist to fetch hash value.
_______________________________________________________________
We have prefetch files and event viewer for the sherlock.
Prefetch speeds up the loading of a specific application resource, allowing you to open your most used application faster. Prefetching enables a browser to fetch the resources required to view content that will be accessed later. Prefetch files will disclose whether the individual installed and ran a particular program; tracking such information is critical during the digital forensic analysis process. This way, we can determine which executable was executed and when. Prefetch also records the loaded files' information, which tells us which files and paths it interacted with during its execution. We will use PeCmd by Eric Zimmerman to parse the prefetch files and Event Viewer to go through the event log
Security Logs record Event ID 4769 on a domain controller whenever a Kerberos service ticket is requested
Open the event file of the domain controller.
Filter by the event ID
We still get a lot of events.
Here we can see that Account Name “DC01$” requested a service ticket for service named DC01$. In Windows names ending with $ are typically service accounts and machine accounts. Similarly, the DC01$ service is related to that service account.
This all belongs to normal Active Directory operations. Below that we can see an option named “Ticket Encryption type” with the value of 0x12 which equals to “AES256-CTS-HMAC-SHA1-96 ”.
In legitimate use cases for Kerberos ticket operations, the encryption type would be 0x12 or 0x11.
But if we see an encryption type “0x17” which is RC4 encryption, that would be a clue to look into this further, as an attacker may request a ticket in this encryption type because it allows them to crack the password.
All major open-source tools, like Impacket and Rubeus, request tickets in RC4 encryption type.
To further reduce the chances of false positives, we can filter out requests from other service accounts and machine accounts.
Service accounts request service tickets from domain controllers all the time; that’s the nature of how service accounts work. To further reduce the events to investigate, we can filter out requests from service names starting with “$”—they are computer accounts or other service account-related services that Windows uses as part of its operations.
We can search for the 0x17 encryption type and events.
We can see that a domain Account “alonzo.spire” requested a ticket for a service name “MSSQLService” with an encryption type of 0x17 from a workstation with IP Address 172.17.79.129.
Notice that both the account name and service name do not end with $.
SOC analysts can query the logs in SIEMs to create a filter for all the things mentioned.
With the filters discussed above we’re snooping for a 4769 event where:
1. Account name that is NOT a service or machine account (ending with $), so any normal domain user account (this would be the account which is compromised and from which the attacker performed this attack.)
2. Service Names that do NOT end with $.
3. Ticket encryption type will be 0x17 which is RC4 encryption, allowing attackers to easily crack the hash.
The follow-up to this detection would be to:
Create a timeline of when this event was generated.
Do a forensic analysis of the machine with IP Address 172.17.79.129, and find out how the “alonzo.spire” user account got compromised.
We can use artifacts like Process Logs from Sysmon if available, prefetch, lnk files, Managed File Transfer (MFT), or registry to gain insights on what occurred around the time when Kerberoasting activity was noticed.
we can see executed commands/scripts by filtering for event ID 4104.
we can look into the events and see that powerview has been used.
Now we can use Timeline Explorer to look into the actual timeline of the event. we can use the csv file generated from prefetch files.
We should look for any execution around the timeline we established so far. Let's filter for the date of the incident to reduce the noise. We add the filter for the "Last Run" field
Looking at the last run timestamps, we find an exe was executed just a second before our malicious events were logged on the Domain Controller.
This is a Kerberos abuse tool. One that's common in Active Directory pentesting or offensive operations. To get the full path of the file, go to the files loaded and double-click to see all files loaded by this tool at execution.
You can check the last run column to see when was the tool actually run.
Target:
GetUserSPNs.py
targets service accounts associated with SPNs (Kerberoasting).
GetNPUsers.py
targets user accounts with pre-authentication disabled (AS-REP Roasting).
Objective:
GetUserSPNs.py
aims to retrieve service tickets that can be cracked to reveal service account passwords.
GetNPUsers.py
aims to retrieve AS-REP responses that can be cracked to reveal user passwords.
Prerequisites:
GetUserSPNs.py
requires knowledge of the domain and typically valid credentials to request service tickets.
GetNPUsers.py
can be