Kerberoasting exploits weak Kerberos SPNs in Active Directory, letting attackers extract encrypted service account passwords and crack them offline for privilege escalation.
What is Kerberoasting?
Kerberoasting is an abuse of Kerberos authentication in Active Directory. Any authenticated user in the domain can enumerate the service principal name running (SPN) for the user account. SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running. An authenticated user is allowed to request a ticket-granting service (TGS) ticket for any SPN running in the domain. TGS may be encrypted with RC4 using the password hash of the service account that is assigned the requested SPN as the key.
Kereroasting From Linux Machine
If attackers gain access to a VPN or remote access system that connects to the internal network, they can perform Kerberoasting as if they were on the internal network. Let’s suppose the attacker can connect internally with the Linux operating system. By using the Linux automated tools, attackers can perform the kerberoasting attack.
Kerberoasting attacks require either domain user credentials (cleartext or only an NTLM hash if using Impacket), a shell in the context of a domain user, or an account like SYSTEM. Once we have this degree of access, we can begin. We also need to know which server in the domain is a Domain Controller so we can query it.
Kerberoasting with GetUserSPNs.py(Impacket)
We can start by just enumerating a listing of SPNs in the domain. we will need a set of valid domain credentials ( username and password) and the IP address of a Domain Controller.
Enumeration of SPN Service
Let’s enumerate all SPN services running of domain. Below is an example of the command to enumerate the spn services using the GetuserSPNs.py.
python3 GetUserSPNs.py mydomain.local/user:password
In the Active Directory forest untold.local, the domain tech.untoldcyber.local hosts a web application for internal services. The web application runs under the context of a service account with the SPN HTTP/web.tech.untoldcyber.local, managed by a user account named shiv. Unfortunately, the web application has a vulnerability in its authentication mechanism, which allows the attacker to perform SQL injection and bypass login protections. By exploiting this vulnerability, the attacker gains administrative access to the web application and retrieves the credentials of the webmaster account: webmaster@tech.untoldcyber.local with the password password@123.
Step 1: Gaining Initial Access
Using the compromised credentials, the attacker authenticates to the domain. The attacker now has access to the internal network and can query the Active Directory for information. Although webmaster is a low-privilege user, this account provides sufficient access to interact with the Kerberos Key Distribution Center (KDC) and enumerate domain accounts.
Step 2: Enumerating Service Principal Names (SPNs)
Knowing that the target environment runs Kerberos for authentication, the attacker begins by enumerating service accounts that might have SPNs associated with them. This is done using the Impacket tool GetUserSPNs.py:
python3 GetUserSPNs.py tech.untoldcyber.local/webmaster:password@123
The tool queries the domain for accounts with SPNs and returns the following result:
ServicePrincipalName Name MemberOf
-------------------------------------------------------
HTTP/web.tech.untoldcyber.local shiv Domain Users
This reveals that the shiv account, associated with the SPN HTTP/web.tech.untoldcyber.local, is likely running a web service. Service accounts like shiv often have static passwords, making them prime targets for a Kerberoasting attack.
Step 3: Requesting a TGS Ticket
The attacker uses their authenticated access to request a Ticket Granting Service (TGS) ticket for the SPN HTTP/web.tech.untoldcyber.local. This is achieved with the same tool, GetUserSPNs.py, but now with the -request flag:
python3 GetUserSPNs.py tech.untoldcyber.local/webmaster:password@123 -request
The tool successfully retrieves the TGS ticket, encrypted with the password hash of the shiv service account. The attacker saves the ticket in the following format.
this ticket is then stored in a file for offline password cracking.
Step 4: Cracking the TGS Ticket
With the TGS ticket in hand, the attacker proceeds to crack the password offline. Using the Hashcat tool and a wordlist containing common and leaked passwords, the attacker executes the following command:
hashcat -m 13100 ticket.hash wordlist.txt
After some time, the tool successfully cracks the password for the shiv account: shiv@123. This password provides the attacker with the credentials for the service account.
Step 5: Escalating Privileges
The attacker now has access to the shiv service account, which runs the web service. Upon investigating the account’s privileges, the attacker discovers that:
shivis a member of the Domain Admins group, orshivhas local administrative privileges on a critical server.
Using these credentials, the attacker escalates their privileges and gains control over the domain. They can now:
- Dump credentials for all domain accounts using tools like
Mimikatz. - Access sensitive files and resources hosted on domain controllers.
- Persist in the network by creating backdoor accounts or adding malicious group policies.
Kerberoasting From Windows Machine
Now we perform the kerberoasting attack through the Windows machine by using the PowerShell ADMoudle, PowerView, Rubeus, Invoke-Mimikatz and cracking the password using the Hashscat or John.
The attacker has already compromised the webmaster account (webmaster@tech.untoldcyber.local) with the password password@123
Step 1: Setup and Initial Access
The attacker logs into a domain-joined Windows machine using the compromised credentials. If not logged in interactively, the attacker can use PowerShell to authenticate:
$Username = "webmaster@tech.untoldcyber.local" $Password = ConvertTo-SecureString "password@123" -AsPlainText -Force $Credential = New-Object System.Management.Automation.PSCredential($Username, $Password)
Step 2: Enumerating SPNs
Using the Active Directory Module
The attacker uses PowerShell’s Active Directory module to find accounts with Service Principal Names (SPNs):
# Load Active Directory module
Import-Module ActiveDirectory
# Find accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -ne $null} -Properties ServicePrincipalName | Select-Object Name, ServicePrincipalName
Using PowerView
If the Active Directory module is not available, PowerView can be used instead:
Output:
Name ServicePrincipalName
---- ------------------------------------------------------
shiv HTTP/web.tech.untoldcyber.local
Step 3: Requesting TGS Tickets
The attacker uses Rubeus or Mimikatz to request TGS tickets for the SPN account.
Using Rubeus
Rubeus is a post-exploitation tool that simplifies Kerberoasting.
Run Rubeus to request TGS tickets for all SPNs:
rubeus.exe kerberoast /outfile:tickets.txt
If targeting a specific SPN (e.g., shiv):
Rubeus.exe kerberoast /spn:HTTP/web.tech.untoldcyber.local /outfile:shiv_ticket.txt
The output is saved in a hash format ($krb5tgs) suitable for offline cracking.
Step 4: Cracking the TGS Ticket
The TGS ticket obtained using Rubeus or Mimikatz is cracked offline to retrieve the service account password.
Using Hashcat
Save the ticket hash to a file (e.g., shiv_ticket.hash) and use Hashcat with the Kerberos TGS cracking mode (13100):
Using John the Ripper
Convert the ticket to a format compatible with John and crack it using a wordlist:
john --wordlist=wordlist.txt shiv_ticket.hash
Once cracked, the attacker obtains the password for the shiv account (e.g., shiv@123).
Step 5: Privilege Escalation
With the credentials of the shiv account:
- The attacker logs in using the new credentials.
- If
shivhas elevated privileges (e.g., Domain Admin or access to sensitive servers), they proceed with privilege escalation.
Best Practices to Prevent Kerberoasting
- Restrict Access:
- Block unnecessary ports (e.g., TCP/UDP 88) on firewalls to prevent external access to Kerberos services.
- Use VPNs or Zero Trust architecture to restrict domain access.
- Strong Authentication:
- Enforce Multi-Factor Authentication (MFA) for remote access to ensure compromised credentials cannot be used alone.
- Harden Service Accounts:
- Use strong passwords and regularly rotate passwords for service accounts.
- Transition to Managed Service Accounts (MSAs), which automatically manage strong passwords.
- Monitor and Audit:
- Monitor for unusual Kerberos activity, especially Event ID 4769 (Kerberos Service Ticket Request).
- Look for external IPs attempting to interact with AD-related services.
Reference :
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
https://www.picussecurity.com/resource/blog/kerberoasting-attack-explained-mitre-attack-t1558.003
Conclusion
In this blog, we’ve explored the intricacies of kerberoasting attacks within Active Directory environments, focusing on the untold.local forest and tech.untoldcyber.local domain. We detailed the attack methodology, including enumeration of Service Principal Names (SPNs), requesting Ticket Granting Service (TGS) tickets, and offline cracking to retrieve service account credentials. Additionally, we discussed the use of tools like PowerShell Active Directory module, PowerView, Rubeus, and Mimikatz in executing these attacks.
Understanding such attack vectors is crucial for organizations to bolster their security posture. Implementing best practices, such as enforcing strong password policies, monitoring Kerberos-related events, and utilizing Managed Service Accounts (MSAs), can significantly mitigate the risks associated with Kerberoasting.
For a comprehensive understanding of Active Directory security, web application attacks, and effective interview preparation, we invite you to explore our extensive resources at Untold Cyber. Our platform offers in-depth blogs and services tailored to enhance your cybersecurity knowledge and skills.
Stay informed and proactive in the ever-evolving field of cybersecurity.
0 Comments