**Note: The content in this article is only for educational purposes and understanding of cybersecurity concepts. It should enable people and organizations to have a better grip on threats and know how to protect themselves against them. Please use this information responsibly.**
What is Kerberos?
Kerberos functions as a network authentication protocol. It strives to provide secure authentication for users and services on unsecured networks. Many companies use it in systems that need robust authentication. Microsoft Windows domains are a good example of where Kerberos comes into play.
How Kerberos Works
Kerberos is a network authentication protocol which allows users to authenticate themselves in an unsecured network. The main components of Kerberos are:
Client: The user who access a service
Server: Resource which the user wants to access
Key Distribution Center(KDC): It contains two things:
- Authentication Server (AS): It verifies user identity and provides Ticket Granting Ticket (TGT),
- Ticket Granting Server (TGS): it provides service tickets based on Ticket Granting Ticket (TGT).
The authentication starts when the client sends the authentication request to the Authentication Server. The Authentication Server checks credentials, and if the credentials are right, it provides Ticket Granting Ticket (TGT), which is encrypted with the client’s secret key ( based on their password). When the client needs to access a particular service, they send a request to the Ticket Granting Server (TGS) which includes the TGT they receive from AS and the service they want to access. TGS decrypts the TGT to check if it’s valid or not, and then issues a service ticket that is encrypted with a service secret key. The ticket includes the client’s identity and a new session key which helps in secure communication between the client and the service. The client then shows the service ticket to the target service. The target service decrypts the ticket using its secret key, and checks the identity of the client and creates a secure session with the client using the provided session key. If the check succeeds, the client will get the access to the service.
Kerberoasting
Kerberoasting is a hacking method that bad guys use after they break into a system. They use it in Windows setups to steal login info for service accounts from a domain. This trick works because of how Kerberos handles login checks.
Kerberoasting allows hackers to grab the KRB_TGS ticket, which has an RC4 lock. They then try to crack the NTLM hash of application service accounts. This trick takes advantage of Kerberos. The KDC hands out KRB_TGS tickets without checking if the user can ask for the service’s SPNs. By grabbing these tickets, hackers can try to break the service account passwords whenever they want. They do this using the RC4 lock that uses the service account’s NTLM hash.
How Kerberoasting Works:
- Service Ticket Request: The attacker gains access to a domain-joined machine and a valid domain account. They then ask for a Kerberos service ticket (TGS – Ticket Granting Service) for a service account. This service account has a Service Principal Name (SPN) linked to it.
- Ticket Encryption: The domain controller creates a service ticket in response. It then encodes this ticket using the password hash of the service account.
- Extracting Tickets: The attacker takes the encoded service ticket from memory.
- Offline Cracking: The attacker tries to crack the service ticket offline. They use brute-force or dictionary attacks to figure out the password of the service account.
Kerberoasting Major Steps:
Step 1: Breaking the client’s network system using various Techniques
Step 2: After that, scan for registered SPNs ( Service Principal Names )
Step 3: Use tools like Mimikatz to request TGS tickets for the SPNs service which you discover
Step 4: Now extract the TGS tickets, which may be present in .kirbi, cache, or service hash form
Step 5: Now change the .kirbi or cache file into a crackable format.
Step 6: Now, use a dictionary for the brute force attack.
Kerberoasting Procedure on Host System
Method : Powershell Script
Step 1: SPN Discover
Get the scripts “Find-PotentiallyCrackableAccounts.ps1” and “Export-PotentiallyCrackableAccounts.ps1” from the given place and put them on the host machine. These scripts help find SPNs and create CSV files with the results.
$ Import-Module .\Find-PotentiallyCrackableAccounts.ps1
$ Find-PotentiallyCrackableAccounts.ps1 -Fulldata -Verbose
$ Import-Module .\Export-PotentiallyCrackableAccounts.ps1
$ Export -PotentiallyCrackableAccounts
Grab the PowerShell script “GetUserSPNs.ps1” from where it’s stored. This script looks through the domain to find SPNs linked to user accounts. Once you’ve added the module to PowerShell, run the command “.\GetUserSPNs.ps1” to list out SPNs.
.\GetUserSPns .ps1
For instance, you can use this command to locate SPNs tied to SQL services.
Step 2: Extract and dump the TGS_ticket, then obtain the hash
In this case, I tried to get the KRB_TGS from the host’s memory using a PowerShell script called “TGSCipher.ps1.” Also, I changed the output to work with John the Ripper.
$ Get-TGSCipher -SPN “WIN-S0V7KMTVLD2/SVC_SQLService.ignite.local:60111” -Format John
As a result, we get the HASH string for the SQL Service.
To download the scripts follow this link below: https://github.com/cyberark/RiskySPN
