Kerberos
Introduction
This section contains some of the techniques to obtain, crack and craft Kerberos Tickets to perform lateral movements on the network.
Ticket gathering
Running Rubeus with a privileged account can dump tickets stored on the system.
Despite requiring a compilation, you can download the compiled and the PowerShell version.
Kerberoasting
The technique consists of obtaining the NTLM hash from the TGS (Ticket Granting Service) of any account that has an associated SPN.
You can use any of the following tools.
If the attacker has credentials but not remote access to the system, it can run GetUserSPNs.py
.
Note: To obtain the samaccountname of the service pricipalname run the following command:
Cracking Kerberos Hashes
Once obtained the Kerberos Tickets it is necessary to crack them in order to gain access to the system.
AS-REProasting
Attempt to harvest encrypted TGT, for a later cracking, from users with the attribute DONT_REQ_PREAUTH
enabled.
Cracking password
User Enum (Abusing Pre-Authentication)
By brute-forcing the Kerberos pre-authentication, you do not trigger an account failed event.
Unconstrained Delegation
This vulnerability arises when a principal account (a user or mainly a computer) is configured with unconstrained delegation privileges, which allows the account to impersonate any user on the network and access any resource that the user has permission to access.
Cached tickets
If you have admin access on a machine with unconstrained delegation, look for some cached krbtgt tickets and extract them.
1. Enumerate tickets on the machine
2. Extract the ticket you want
3. Impersonate the user
Force machines authentication
Another method to take advantage of this vulnerability is by executing one of the following tools so the victim machine interacts with the vulnerable machine, obtaining the machine's TGT, so it be used for lateral movement getting access to the machine as administrator.
1. Monitor the machine for new TGTs.
2. Coerce the target machine to attempt authenticating to the attacker controlled machine. To do so, there are several alternatives:
SharpSpoolTrigger (Executable)
PetitPotam (Executable)
printerbug.py (Requires domain credentials)
3. Perform an S4U request to obtain a usable TGS of an Admin user on the machine.
4. Impersonate the user (There are two alternatives)
5. Test if you can access the machine
Constrained Delegation
When constrained delegation is enabled on a service account, it limits the user's access to only specified services on specific computers. This type of delegation is commonly used in scenarios where a user authenticates to a web service without Kerberos and the service needs to make requests to a database server on behalf of the user to retrieve data based on their authorization.
To impersonate a user, Service for User (S4U) extension is used which provides two extensions:
Service for User to Self (S4U2self): Allows a service to obtain a forwardable TGS to itself on behalf of a user.
Service for User to Proxy (S4U2proxy): Allows a service to obtain a TGS to a second service on behalf of a user.
The steps to take advantage of this feature are the following:
1. Obtain the TGT of the principal (computer or user) trusted for delegation.
2. With the TGT, perform an S4U request to obtain a usable TGS for CIFS. This will perform an S4U2Self first and then an S4U2Proxy.
/impersonateuser
is the user we want to impersonate - they should have local admin access on the target machine. nlamb is a domain admin which is required for accessing the domain controller.
/msdsspn
is the service principal name that SQL-2 is allowed to delegate to.
/user
is the principal allowed to perform the delegation.
/ticket
is the TGT for/user
.
3. Impersonate the user (Two alternatives)
4. Check that you have access to the machine.
Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity)
The two major prerequisites to pull off the attack are:
A target computer on which you can modify "msDS-AllowedToActOnBehalfOfOtherIdentity".
Control of another principal that has an SPN.
The steps to reproduce the attack are the following:
1. Look for modifiable ACL permissions
2. On a domain machine with high privilege, request its SID.
3. Set the object you want to modify, in this case "msDS-AllowedToActOnBehalfOfOtherIdentity".
4. Check that the object has been settled correctly.
5. From the computer with higher privileges perform the S4U.
6 Pass the ticket to the session.
Alternate Service Name
On constrained delegation the delegedation occurs not only for the specified service on the target machine but for any service running on the machine under the same account name. There is no validation for the SPN specified in s4u.
Hence, it allows access to different services running on the machine (usually CIFS). To exploit this vulnerability, you can create a TGT with the following command.
Resource-Based Constrained Delegation (GenericWrite to Computer)
Having a domain user with GenericWrite into a domain computer implies that it is possible to access the computer as Administrator.
1. Create a fake domain computer and modify the attribute msds-allowedtoactonbehalfofotheridentity
of the target computer. There are several alternatives to achieve this goal.
Alternative 1 - PowerView
Alternative 2 - AD Module
Alternative 3 - Impacket
2. Check that the configuration has been applied successfuly, so you can continue with the attack.
3. Impersonate the user Administrator. There are several alternatives to achieve this goal.
Rubeus
Impacket
4. Connect to the target machine.
S4U2Self Abuse
S4U2Self (Service for User to Self) allows a service to obtain a TGS to itself on behalf of a user. While, S4U2Proxy allows the service to obtain a TGS on behalf of a user to a second service.
So, when a client authenticates to the service using, say, NTLM authentication, what the service will do is first send S4U2Self request to get TGS to itself. Then use this TGS with S4U2Proxy to request TGS to another service, impersonating a user on that machine. This is because machines do not get remote local admin access to themselves. What we can do instead is abuse S4U2Self to obtain a usable TGS as a user we know is a local admin (e.g. a domain admin).
WriteDacl over a group
If your current user or group has WriteDacl
over a group, you can modify the group ACLs allowing you to add any member to it.
1. Enumerate that your current user has WriteDacl
over a group.
2. Change the ActiveDirectoryRights to "GenericAll".
3. Add your user to the group.
Tickets
Silver Ticket (Local)
A Silver Ticket has limited use because it can only allow access to the targeted service. To achieve this you need to dump any service or domain admin ticket.
Dump the hash and the security identifier for the targeted service.
Create a silver ticket.
Note: The /user
is the username that will appear on the windows security logs.
Now you are able to access the computer hosting the service with admin rights using the techniques of passing the ticket.
In order to check that we have admin permissions on the service host, you can use dir
against the ADMIN$
share.
More ways to access the service machine: Link
Silver Ticket (Remote)
If we are inside a network and have enough information about the victim's service but no access to a machine to craft a ticket with mimikatz, we can ticketer to create a silver ticket. But, we need the following requirements:
NTLM hash: Obtained by obtaining the user's password by cracking the user SPN Ticket, mimizatz, etc. and converting it into NTLM format using a web such as browserling.com.
Domain SID: Obtained using rpcclient, LDAP, mimikatz, getPac, etc.
User-id: Id of the user we want to impersonate, by default, is 500 (Administrator). It can be obtained with the tools mentioned earlier
Then, we can use this ticket for many impacket tools such as:
Golden Ticket
A Golden Ticket allows access to any Kerberos service. In order to achieve this, you need to obtain a ticket from the service account "KRBTGT".
Dump the hash and the security identifier needed to create a Golden Ticket.
Create a golden ticket.
Note: The
/user
is the username that will appear on the windows security logs.Note 2: The
/id
: The user RID. The default value is 500 (local administrator).
Cracking tickets
Just like kerberoasting, you can crack a ticket to get the SPN account password.
Pass The Ticket
Dumping TGT from the LSASS memory of the machine. For a later use impersonating the user.
Exporting tickets
Using the tikets
Linux
Windows
Skeleton Key backdoor
Implanting a skeleton key that abuses AS-REQ encrypted timestamp validation, allowing you to access to the domain forest.
Note: A skeleton key only works using Kerberos RC4 encryption.
Accessing the forest with the default mimikatz password "mimikatz".
References
Last updated