There has been a number of technical blog posts, demonstrations about Kerberoasting/SPNs and how widely abused attack vector against windows enterprise network infrastructure (AD) i will try to minimize background info on SPNs and kerberoating as much as possible and provide links at the end to all that i know about.
My focus on this post is to demonstrate how to perform all your attack on a Linux OS as opposed to windows based operating system, the advantages with this approach is your attacking system do not require to be domain joined, all you need is basic (AD) username and password to perform a successful attack.
- Linux OS as attacking machine
- No windows domain join hassle and permissions etc
- Can use majority of red team and penetration tools
- Stealth avoid detection
GetUserSPNs.py specify DC IP address and the user authenticate with.
Figure 1 List Services Accounts IIS_003 and IIS_002 assigned to servers.
GetUserSPNs.py -request parameter and the DC IP address to request Kerb TGT service tickets.
Figure 2 -request parameter to capture kerberos ticket granting ticket on IIS_002, IIS_003 in hashcat format.
Hashcat password cracking tool to crack the TGT response on the IIS_002 and IIS_003 service accounts. (Hashcat -m 130100 tgtkerberosticket.txt dictionaryword.txt)
Figure 3 IIS_002 TGT Response ticket password successfully cracked.
Now that we know the domain controller FQDN we send 2 pings to the host.
Figure 4 sec-pr1-01 DC Netbios name identified.
In order to reduce and avoid detection (Red team) in the target network we can utilize the use of Heimdal implementation of Kerberos 5 client to receive valid TGT session ticket and use Kerberos post exploitation as opposed password equivalent NTLM hash. The idea is to blend in to the target network and reduce the risk of been identified by security operation team (SOC) and security conscious system administrators.
Steps to configure Heimdal clients on Linux OS:
- default_relam set that to a target domain controller CRYPTOAMBIENT.COM
- realms set that to a target KDC to Fully qualified domain controller e.g. my target domain controller is set to sec-pri-01.crytoambeint.com and the admin_server and default_domain to FQDN target server.
Figure 5 Heimdal Krb5 client configuration
We also must add the following entries in to the /etc/resolv.conf and point our nameserver to the domain controller. Almost 99% of time DNS is the root cause of kerberos authentications problems/issue. “My own personal experience”
Figure 6 resolve configuration file added with the target domain entries.
Kinit obtains and caches an initial ticket-granting ticket for ambientuser and klist is used to list the valid ticket issued by domain controller KRBTGT. Armed with valid TGT ticket we can tools from our Linux attacking machine and interact with accessible hosts within the domain controller forest.
Figure 7 TGT Ticket Granting Ticket for valid ambientuser received.
smbclient with –kerberos flag to use ambinetuser ticket to authenticate a hosts IPC$.
Figure 8 smbclient to use kerberos ticket as opposed to traditional clear text/NTLM authentication hash.
rpcclient -k flag is to use kerberos to authenticate windows host joined cryoptoambient.com domain forest.
Figure 9 rpclient can be used to enumerate SID,RID Password policy etc.
wmiexec with -k flag and –nopass used to gain remote shell against the domain joined host using kerberos ticket – user must be part of local admin or domain admin group to be able spawn a cmd.exe process. WMI is still widely used/abused and difficult challenge for good guys to identify slow planned WMI attack.
Figure 10 wmiexec to gain remote administrative level shell on the target host.
psexec i will not and never will use it in real engagement but just for demonstration i thought it’s a good idea to show different attack tool(s) that supports kerberos to interact with target domain joined hosts.
Figure 11 psexe to gain code execution with the SYSTEM privilege the disadvantages with psexec creates a service executable, writes to a share and finally execute/start the service.
Moral of the story: Kerberos is the way to go in a locked down enterprise network to avoid detection and operate without the use of NTLM hash in windows environment.
- Use Group managed security groups for service accounts
- Use 28 or more password character for service accounts
- Make sure service accounts are not delegated rights to domain admin or any other groups in fact.
- Monitor and enable kerberos auditing
- Investigate incidents do not just assume
What is SPNs