We covered the solution walkthrough for TryHackMe Attacking Kerberos room where we focused on Kerberos attacks such as Kerberoasting, AS-REP Roasting, Pass the Ticket and Golden/Silver Ticket Attacks within Windows Active Directory.
Please watch the video at the bottom for full detailed explanation of the walkthrough.
Windows Active Directory Penetration Testing Study Notes
Definition of Kerberos
Kerberos is the default authentication service for Microsoft Windows domains. It is intended to be more “secure” than NTLM by using third party ticket authorization as well as stronger encryption. Even though NTLM has a lot more attack vectors to choose from Kerberos still has a handful of underlying vulnerabilities just like NTLM that we can use to our advantage.
Common Definitions
- Ticket Granting Ticket (TGT) – A ticket-granting ticket is an authentication ticket used to request service tickets from the TGS for specific resources from the domain.
- Key Distribution Center (KDC) – The Key Distribution Center is a service for issuing TGTs and service tickets that consist of the Authentication Service and the Ticket Granting Service.
- Authentication Service (AS) – The Authentication Service issues TGTs to be used by the TGS in the domain to request access to other machines and service tickets.
- Ticket Granting Service (TGS) – The Ticket Granting Service takes the TGT and returns a ticket to a machine on the domain.
- Service Principal Name (SPN) – A Service Principal Name is an identifier given to a service instance to associate a service instance with a domain service account. Windows requires that services have a domain service account which is why a service needs an SPN set.
- KDC Long Term Secret Key (KDC LT Key) – The KDC key is based on the KRBTGT service account. It is used to encrypt the TGT and sign the PAC.
- Client Long Term Secret Key (Client LT Key) – The client key is based on the computer or service account. It is used to check the encrypted timestamp and encrypt the session key.
- Service Long Term Secret Key (Service LT Key) – The service key is based on the service account. It is used to encrypt the service portion of the service ticket and sign the PAC.
- Session Key – Issued by the KDC when a TGT is issued. The user will provide the session key to the KDC along with the TGT when requesting a service ticket.
- Privilege Attribute Certificate (PAC) – The PAC holds all of the user’s relevant information, it is sent along with the TGT to the KDC to be signed by the Target LT Key and the KDC LT Key in order to validate the user.
- AS-REQ w/ Pre-Authentication: The AS-REQ step in Kerberos authentication starts when a user requests a TGT from the KDC. In order to validate the user and create a TGT for the user, the KDC must follow these exact steps. The first step is for the user to encrypt a timestamp NT hash and send it to the AS. The KDC attempts to decrypt the timestamp using the NT hash from the user, if successful the KDC will issue a TGT as well as a session key for the user.
Kerberos Authentication
AS-REQ – 1.) The client requests an Authentication Ticket or Ticket Granting Ticket (TGT).
AS-REP – 2.) The Key Distribution Center verifies the client and sends back an encrypted TGT.
TGS-REQ – 3.) The client sends the encrypted TGT to the Ticket Granting Server (TGS) with the Service Principal Name (SPN) of the service the client wants to access.
TGS-REP – 4.) The Key Distribution Center (KDC) verifies the TGT of the user and that the user has access to the service, then sends a valid session key for the service to the client.
AP-REQ – 5.) The client requests the service and sends the valid session key to prove the user has access.
AP-REP – 6.) The service grants access Interact with IOCs and how the adversaries operationalize.
Using Rubeus to Harvest Kerberos Tickets & Perform Password Spraying
Rubeus has a wide variety of attacks and features that allow it to be a very versatile tool for attacking Kerberos. Just some of the many tools and attacks include overpass the hash, ticket requests and renewals, ticket management, ticket extraction, harvesting, pass the ticket, AS-REP Roasting, and Kerberoasting.
The below command tells Rubeus to harvest for TGTs every 30 seconds
Rubeus.exe harvest /interval:30
The below command will take a given password and “spray” it against all found users then give the .kirbi TGT for that user
Rubeus.exe brute /password:Password1 /noticket
Definition of Kerberoasting
Kerberoasting is an attack that targets service accounts in AD to escalate privileges.
Kerberoasting allows a user to request a service ticket for any service with a registered SPN then use that ticket to crack the service password. If the service has a registered SPN then it can be Kerberoastable however the success of the attack depends on how strong the password is and if it is trackable as well as the privileges of the cracked service account.
Definition of ASREP Roasting
ASREP Roasting is a type of attack that involves an attacker impersonating an authentication request (requesting a ticket for the target user) for a user that has Kerberos pre-authentication feature not enabled or configured. Pre-authentication requires the client to prove its identity before the Kerberos Key Distribution Center will issue a ticket.
Room Answers | TryHackMe Attacking Kerberos
What does TGT stand for?
Ticket Granting Ticket
What does SPN stand for?
Service Principal Name
What does PAC stand for?
Privilege Attribute Certificate
What two services make up the KDC?
AS, TGS
How many total users do we enumerate?
10
What is the SQL service account name?
SQLService
What is the second “machine” account name?
Machine2
What is the third “user” account name?
User3
Which domain admin do we get a ticket for when harvesting tickets?
Administrator
Which domain controller do we get a ticket for when harvesting tickets?
CONTROLLER-1
What is the HTTPService Password?
Summer2020
What is the SQLService Password?
MYPassword123#
What hash type does AS-REP Roasting use?
Kerberos 5 AS-REP etype 23
Which User is vulnerable to AS-REP Roasting?
User3
What is the User’s Password?
Password3
Which Admin is vulnerable to AS-REP Roasting?
Admin2
What is the Admin’s Password?
P@$$W0rd2
What is the SQLService NTLM Hash?
cd40c9ed96265531b21fc5b1dafcfb0a
What is the Administrator NTLM Hash?
2777b7fec870e04dda00cd7260f7bee6
Video Walkthrough | TryHackMe Attacking Kerberos