Lab: Lateral Movement
Windows Attack Lab – Kerberoasting
Teamwork – Team DaMa
Description
Questions to Answer
Q1:
What is the goal of a Kerberoasting attack?
A1:
Short form:
Collect the TGS of a user to get access to a SPN.
Long form:
Kerberoasting abuses traits of the Kerberos protocol to harvest password hashes for Active Directory user accounts with servicePrincipalName (SPN) values (i.e. service accounts). A user is allowed to request a ticket-granting service (TGS) ticket for any SPN, and parts of the TGS may be encrypted with the with RC4 using the password hash of the service account assigned the requested SPN as the key.
An adversary who is able to extract the TGS tickets from memory, or captures them by sniffing network traffic, can extract the service account’s password hash and attempt an offline brute force attack to obtain the plaintext password.
Reference:
Q2:
What is the vulnerability we are actually exploiting?
A2:
By default the TGS are hashed with RC4 which is treated weak and can be brute-forced with some tools. Disable RC4 at the domain controller level might cause lots of things to break in a Windows environment.
Reference:
Q3:
Do you need admin privileges to perform this attack and if so, why?
A3:
It’s not necessary to have admin privileges to perform this attach. A normal domain user can perform such an attack without and specific privileges.
Rubeus specific:
- It makes raw AS-REQs aka TGT requests with either RC4 (NTLM hash) or aes128/256_hmac
encryption keys and applies the returned tickets using existing LSA APIs - Because this does not patch LSASS directly, it lets you PTH without needing admin access
Q4:
Which encryption type was used to encrypt the TGS?
A4:
In the Kerberoast example the encryption type was RC4-HMAC.
PDF Report
Readme-StepX