In this blog post we will have a look at three different ways to perform kerberoasting, how to use hashcat to crack the service ticket (hash), and a few ways that we can mitigate this type of attack.
As an attacker, it is very important that we have multiple ways to accomplish a single task. If for some reason the method or tool we are using to perform an attack fails, we need to have options available to carry out the task in a different way. We as attackers cannot heavily rely on a single tool or method when performing our attacks.
Kerberoasting is a technique used by attackers, which allows them to request a service ticket for any service with a registered SPN. Once requested, this service ticket will be presented to the attacker in the form of a TGS-REP hash.
The attacker then takes this ticket (hash) and uses it to crack the service accounts password. If the service has a registered SPN, then it should be Kerberoastable; however, the success of the attack depends on how strong the password is as well as the level of privileges that the cracked service account has.
In order to perform a kerberoast attack, we need to either have a set of credentials or a foothold on the victim.
To enumerate all Kerberoastable accounts, you can use a tool like BloodHound, which will allow you to see what kind of accounts you can kerberoast, which accounts are domain admins, and what kind of connections they have to the rest of the domain; However, for this example we will not be using BloodHound and will keep that for another post.
Finding Kerberoastable Users Using setspn
The setspn command is used to find available SPNs in the domain and can be used by an attacker to let them know if kerberoasting is possible. This is a great way to probe for kerberoastable users using built-in functionality before downloading any tools onto the victim.
To use the setspn command, you must know either the hostname of the system you currently have a foothold on, or the name of the domain.
Once the hostname or domain name has been determined (in this example JUGG-meisenhardt is the hostname), it can be used in the following command to find existing SPNs in the domain:
setspn -T JUGG-meisenhardt -F -Q */*
It is better to use the domain name in the above command rather than hostname; but for POC, I wanted to show that you could use the hostname. Using the hostname, setspn will query the forest the host is joined to in order to find the domain name.
Rubeus is a tool that can be used to dump the Kerberos hash of any kerberoastable users in the domain.
You can find a copy of rubeus.exe here, but you will need to compile the executable yourself. Luckily, there is a compiled version that you can find here.
For this example we will be using rubeus in the most basic way to dump the tickets of all kerberoastable users; However, it is definitely a good idea to go over to the GitHub page using the first link above and check out all the ways you can use this tool to abuse kerberos.
After gaining a foothold on the victim and downloading rubeus.exe, you can dump the TGS-REP hashes of all kerberoastable users in the domain by simply using the following command:
Next, you will need to take all of the hashes you found and copy + paste them onto the attacker machine. Use a text editor to make a file called hashes.txt (or whetever you want to call it) to crack with hashcat.
When you copy + paste this hash into a txt file, it will have new lines for each line seen above. If you try to crack this hash as is, it will not work as it is not in the proper format for hashcat. You can use some linux-fu to clean this up or just simply remove all the new lines manually. Regardless of how you do it, the key is to have this hash in a txt file as one continuous string so that it can be cracked using hashcat.
Cracking the TGS-REP Hashes with Hashcat
Now that we have pasted the hashes into our service_hashes.txt file and cleaned it up, we can use hashcat’s help menu to help us find the cracking mode needed to crack this type of hash. We know that the ticket we requested is a TGS-REP hash, and using hashcat’s help menu, we find that the cracking mode for TGS-REP hashes is 13100.
We then take that information and use it to craft our hashcat command to crack the hashes.
hashcat -h | grep -i 'kerberos' hashcat -m 13100 ./service_hashes.txt /usr/share/wordlists/rockyou.txt -o cracked_hashes.txt
We were able to crack one of the hashes using hashcat + rockyou.txt.
backup_svc : Makemoney1!
Invoke-Kerberoast.ps1 is a PowerShell script that is part of the PowerShell Empire post-exploitation framework.
Once a foothold has been established on the victim, there are two ways that we can use this script. One way, which requires you to have a PowerShell prompt on the victim, is to download the script to disk, use dot sourcing to load it into the current session, and then run the following command to request a ticket and receive the hash in a hashcat crackable format:
. .\Invoke-Kerberoast.ps1 Invoke-Kerberoast -OutputFormat hashcat | fl
If you have gotten a foothold on the victim but you are currently in a cmd.exe prompt, you can try using the command powershell -ep bypass to upgrade from cmd.exe to PowerShell. If that command causes the prompt to hang and ultimately fails to work, then you will need to send back a Nishang reverse PowerShell shell to yourself or find another way to upgrade to a PowerShell prompt.
Alternatively, the Invoke-Kerberoast command can be appended to the bottom of the script and then using the IEX command, we can download it directly into memory, which allows the command that we hardcoded to the bottom of the script to auto-execute.
For this, you will want to copy the Invoke-Kerberoast.ps1 script into your working directly so that you are not editing the original script.
Add the following command to bottom of script like so:
Then, on the victim you can download the script directly into memory using the following command:
Now, we can repeat the steps we did when we dumped the tickets with rubeus to copy + paste the hashes into a TXT file and then proceed to crack them using hashcat.
The GetUserSPNs.py tool is part of the Impacket Suite of Tools, which is an excellent collection that all hackers NEED to have in their tool belt. For this example we will only be using the GetUserSPNs.py script but make sure to check out the other scripts that come in the suite as there are just so many good ones in there.
The beautiful thing about the GetUserSPNs.py script is that it is executed remotely on the attacker side, which means it is not necessary to have a foothold on the victim to perform this attack. However, you will still need a valid user/pass combo as that is ALWAYS a requirement for kerberoasting.
There is another kerberos attack called AS-REP roasting, which can be performed with just a valid username, but that requires PREAUTH to be turned off on the user and is a topic for a different post.
To find out more about AS-REP Roasting, check out my post on it here.
Now, using the following command, we can remotely request a service ticket (change the user/pass and IP for your needs):
GetUserSPNs.py juggernaut.local/meisenhardt:Str0ng3r77 -dc-ip 172.16.1.5 -request
Again, we can repeat the steps we did when we dumped the tickets with rubeus to copy + paste the hashes into a TXT file and then proceed to crack them using hashcat.
- Strong Service Passwords: If the service account passwords are strong then kerberoasting will be ineffective.
- Don’t Make Service Accounts Domain Admins: Service accounts don’t need to be domain admins, kerberoasting won’t be as effective if you don’t make service accounts domain admins.