Kerberos Takedown: Unleashing Rubeus and Impacket for Active Directory Domination
Welcome to my blog post, where we dive deep into the fascinating world of Kerberos, the authentication protocol that safeguards many Active Directory environments. In this article, we’ll explore how to leverage powerful tools like Rubeus and Impacket to dissect, analyze, and potentially exploit Kerberos weaknesses. Before we proceed, it’s essential to emphasize that the knowledge shared here should be used responsibly and with explicit authorization from system administrators.
This blog is written according to the techniques I have learned from Tryhackme and Practical Ethical Hacking course by TCM Security.
Understanding Kerberos: A Brief Overview
it is the default authentication service for Microsoft window domains.
it is intended to be more secure than NTLM by using third party ticket authorization as well as stronger encryption.
Despite NTLM having a wider range of attack vectors to choose from, Kerberos also possesses a few underlying vulnerabilities, similar to NTLM, which can be leveraged to our advantage.
Kerberoasting Overview
In this task, we will explore one of the most well-known Kerberos attacks, known as Kerberoasting.
This attack enables a user to request a service ticket for any service with a registered Service Principal Name (SPN) and then use that ticket to crack the service’s password.
To identify Kerberoastable accounts, I recommend using a tool like BloodHound as utilizing BloodHound can be highly beneficial for identifying potential target accounts.
Note: To initiate the Kerberoasting attack, you’ll need valid credentials, usually a domain user account. This account does not require any specific administrative privileges.
The examples below are taken from the learning I’ve got from Attacking Kerberos Room by TryHackMe and Practical Ethical Hacking course by TCM Security.
Kerberoasting with Impacket
Impacket is a collection of Python scripts and tools designed to interact with network protocols and perform various security-related tasks. It is widely used for Active Directory exploitation and is a go-to choice for security professionals, penetration testers, and red teamers.
You can Download impacket via github. although it comes preinstalled in kali linux.
Our Fist step would be to dump the hashes via GetUserSPNs.py.
GetUserSPNs.py <Domain/Username:password> -dc-ip <ip of DC> -request
After Dumping the Hashes, we will use Hashcat for cracking the hashes.
hashcat -m 13100 hash.txt wordlist.txt
Finally we cracked the hash. (MYpassword@123#)
Kerberoasting with Rubeus
Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is a versatile tool designed specifically for interacting with Kerberos tickets and understanding the authentication flow.
The examples below are taken from Attacking Kerberos Room by TryHackMe and Practical Ethical Hacking course by TCM Security.
Our first step would be to download rubeus into our victim’s machine and navigate to the directory it is stored.
cd Downloads -> navigate to the directory where rubeus.exe is in.
Rubeus.exe kerberoast -> this will dump the kerberos krb5tgs hash of any kerberoastable users.
By searching through the domain, we found 2 service accounts(SQLService and HTTPService) which were kerberoastable along with their hashes.
Now, we can take the hashes obtained offline and we’ll try to crack them as we have done before.
hashcat -m 13100 hash.txt <wordlist.txt>
After cracking the service account password there are various ways of exfiltrating data or collecting loot depending on whether the service account is a domain admin or not.
If the service account is a domain admin you have control similar to that of a golden/silver ticket and can now gather loot such as dumping the NTDS.dit.
If the service account is not a domain admin you can use it to log into other systems and pivot or escalate or you can use that cracked password to spray against other service and domain admin accounts; many companies may reuse the same or similar passwords for their service or domain admin users.
Kerberoasting Mitigation
- Strong Service Passwords — If the service account passwords are strong then kerberoasting will be ineffective.
- Don’t Make Service Accounts Domain Admins — Service accounts don’t need to be domain admins, kerberoasting won’t be as effective.
Remember, the intention behind understanding Kerberoasting is to better defend against it and protect your Active Directory environment from potential attacks. Always act responsibly and within the boundaries of the law and ethical considerations.
