Attacking Kerberos
Room Link: https://tryhackme.com/room/attackingkerberos
Presteps for Lab
Kerbrute Installation
Download a precompiled binary for your OS - https://github.com/ropnop/kerbrute/releases
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 -O kerbrute && chmod +x kerbrute Impacket Installation
wget https://github.com/fortra/impacket/archive/refs/tags/impacket_0_9_19.tar.gz
tar xvf impacket_0_9_19.tar.gz
cd /root/impacket-impacket_0_9_19
pip install .Download wordlists
wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/User.txt
wget https://raw.githubusercontent.com/Cryilllic/Active-Directory-Wordlists/master/Pass.txtAdd hostname to host file
Enumeration w/ Kerbrute
This will brute force user accounts from a domain controller using a supplied wordlist
Harvesting & Brute-Forcing Tickets w/ Rubeus
Login with provided credentials
Kali
Harvest tickets with Rubeus
Victim
This will take a given password and "spray" it against all found users then give the .kirbi TGT for that user
Victim
Kerberoasting w/ Rubeus & Impacket
Kerberoasting #1 - Rubeus
This will dump the Kerberos hash of any kerberoastable users.
Victim
Copy the hashes from the command prompt onto the attacker machine and put it into a .txt file so we can crack it with hashcat. Below command removes all the tabs and formats it properly for hashcat. If you don't format it properly than hashcat will error out.
Kali
Hashcat found the passwords for both of the hashes.
Kerberoasting #2 - Impacket
Hashes were found for the same two accounts when doing this with Rubeus.
AS-REP Roasting w/ Rubeus
Victim
Kali
Transfer the hash from the target machine over to kali and put the hash into a txt file. Insert 23$ after $krb5asrep$ so that the first line will be $krb5asrep$23$User... .The below command does the replace and clean up the output so hashcat can recognize the hashes.
Both passwords cracked.
Pass the Ticket w/ mimikatz
Prepare Mimikatz & Dump Tickets
Victim
Victim - Mimikatz
Pass the Ticket w/ Mimikatz
Run this command inside of mimikatz with the ticket that you harvested from earlier. It will cache and impersonate the given ticket
Victim - Mimikatz
Here were just verifying that we successfully impersonated the ticket by listing our cached ticket.
Victim
You now have impersonated the ticket giving you the same rights as the TGT you're impersonating. To verify this we can look at the admin share.
Victim
Golden/Silver Ticket Attacks w/ mimikatz
Victim
This will dump the hash as well as the security identifier needed to create a Golden Ticket. To create a silver ticket you need to change the /name: to dump the hash of either a domain admin account or a service account such as the SQLService account.
Victim - Mimikatz
Create a Golden/Silver Ticket
A golden ticket attack works by dumping the ticket-granting ticket of any user on the domain this would preferably be a domain admin however for a golden ticket you would dump the krbtgt ticket and for a silver ticket, you would dump any service or domain admin ticket. This will provide you with the service/domain admin account's SID or security identifier that is a unique identifier for each user account, as well as the NTLM hash. You then use these details inside of a mimikatz golden ticket attack in order to create a TGT that impersonates the given service account information.
Golden Ticket
This is the command for creating a golden ticket.
Victim - Mimikatz
Silver Ticket
This is the command for creating a golden ticket as well but to create a silver ticket simply put a service NTLM hash into the krbtgt slot, the sid of the service account into sid, and change the id to 1103.
Victim - Mimikatz
Use the Golden/Silver Ticket to access other machines
NTLM hash of Administrator
NTLM hash of SQLService
Kerberos Backdoors w/ mimikatz
Victim
Victim - Mimikatz
Victim
Last updated