Playing with Kerberos, Kerberoasting, Kinit, Ticket Granting Ticket (TGT)

There has been a number of technical blog posts, demonstrations  about Kerberoasting/SPNs and how widely abused attack vector against windows enterprise network infrastructure (AD) i will try to minimize background info on SPNs and kerberoating as much as possible and provide links at the end to all that i know about.

My focus on this post is to demonstrate how to perform all your attack on a Linux OS as opposed to windows based operating system, the advantages with this approach is your attacking system do not require to be domain joined, all you need is basic (AD) username and password to perform a successful attack.

Attack advantages:

  • Linux OS as attacking machine
  • No windows domain join hassle and permissions etc
  • Can use majority of red team and penetration tools
  • Stealth avoid detection

GetUserSPNs.py specify DC IP address and the user authenticate with.

1
Figure 1  List Services Accounts IIS_003 and IIS_002 assigned to servers.

 

GetUserSPNs.py   -request parameter and the DC IP address to request Kerb TGT service tickets.

2

Figure 2  -request parameter to capture kerberos ticket granting ticket on IIS_002, IIS_003 in hashcat format.

Hashcat password cracking tool to crack the TGT response on the IIS_002 and IIS_003 service accounts.   (Hashcat -m  130100  tgtkerberosticket.txt  dictionaryword.txt)

3

Figure 3  IIS_002 TGT Response ticket password successfully cracked.

Now that we know the domain controller FQDN we send 2 pings to the host.

4

Figure 4  sec-pr1-01 DC Netbios name identified.

In order to reduce and avoid detection (Red team)  in the target network we can utilize the use of Heimdal implementation of Kerberos 5 client to receive valid TGT session ticket and use Kerberos post exploitation as opposed password equivalent NTLM hash. The idea is to blend in to the target network and reduce the risk of been identified by security operation team (SOC) and security conscious system administrators.

Steps to configure Heimdal clients on Linux OS:

Vi /etc/krb5.conf 

  • default_relam set that  to a target domain controller CRYPTOAMBIENT.COM
  •  realms set that to a target KDC to Fully qualified domain controller e.g. my target domain controller is set to sec-pri-01.crytoambeint.com and the admin_server and default_domain to FQDN target server.

5

Figure 5 Heimdal Krb5 client configuration

We also must add the following entries in to the /etc/resolv.conf and point our nameserver to the domain controller. Almost 99% of time DNS is the root cause of kerberos authentications problems/issue. “My own personal experience”

6

Figure 6 resolve configuration file added with the target domain entries.

Kinit obtains and caches an initial ticket-granting ticket for ambientuser and klist is used to list the valid ticket issued by domain controller KRBTGT. Armed with valid TGT ticket we can tools from our Linux attacking machine and interact with accessible hosts within the domain controller forest.

7

Figure 7 TGT Ticket Granting Ticket for valid ambientuser received.

smbclient with –kerberos flag to use ambinetuser ticket to authenticate a hosts IPC$.

8

Figure 8 smbclient to use kerberos ticket as opposed to traditional clear text/NTLM authentication hash.

rpcclient  -k flag is to use kerberos to authenticate windows host joined cryoptoambient.com domain forest.

9

Figure 9 rpclient can be used to enumerate SID,RID Password policy etc.

wmiexec with -k flag and –nopass used to gain remote shell against the domain joined host using kerberos ticket – user must be part of local admin or domain admin group to be able spawn a cmd.exe process. WMI is still widely used/abused and difficult challenge for good guys to identify slow planned WMI attack.

10

Figure 10 wmiexec to gain remote administrative level shell on the target host.

psexec i will not and never will use it in real engagement but just for demonstration  i thought it’s a good idea to show different attack tool(s) that supports kerberos to interact with target domain joined hosts.

11

Figure 11 psexe to gain code execution with the SYSTEM privilege the disadvantages with psexec creates a service executable, writes to a share and finally execute/start the service.

Moral of the story:  Kerberos is the way to go in a locked down enterprise network to avoid detection and operate without the use of NTLM hash in windows environment.

Remediation:

  • Use Group managed security groups for service accounts
  • Use 28 or more password character for service accounts
  • Make sure service accounts are not delegated rights to domain admin or any other groups in fact.
  • Monitor and enable kerberos auditing
  • Investigate incidents do not just assume

Links:

What is SPNs

https://docs.microsoft.com/en-us/windows/desktop/AD/service-principal-names

kerberoasting

https://adsecurity.org/?p=2293

Hemidal Kerberos

https://www.h5l.org/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s