Attacking Kerberos

Attacking Kerberos

Attack Privilege Requirements

• Kerbrute Enumeration - No domain access required

• Pass the Ticket - Access as a user to the domain required

• Kerberoasting - Access as any user required

• AS-REP Roasting - Access as any user required

• Golden Ticket - Full domain compromise (domain admin) required

• Silver Ticket - Service hash required

• Skeleton Key - Full domain compromise (domain admin) required

Attack Methods

• ASREPRoasting

  • An attack method

  • Happens when a user account has the privilege "Does not require Pre-Authentication" set

    • This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account

  • Impacket has a tool called "GetNPUsers.py" (located in impacket/examples/GetNPUsers.py) that lets us query ASReproastable accounts from the Key Distribution Center

    • Only thing you need to query accounts is a valid set of usernames which you can enumerate using Kerbrute

Enumerating Users

• Use Kerbrute to enumerate users

./kerbrute userenum --dc DC_NAME -d DOMAIN_STRING

Harvesting Tickets

• Use Rubeus

Kerberoasting

• Allows a user to request a service ticket for any service with a registered SPN then use that ticket to crack the service password

• If the service has a registered SPN then it can be Kerberoastable

  • Success of attack depends on how strong the password is and it is is trackable as well as the privileges of the cracked service account

• Use Bloodhound tool to find all Kerberoastable accounts

• Methods:

  • Using Rubeus

  • Using Impacket

• Mitigation

  • Strong Service Passwords - If the service account passwords are strong then kerberoasting will be ineffective

  • Don't make service accounts domain admins

Related Notes

• Kerberos

• Rubeus

• Impacket