Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DerbyCon 2019 - Kerberoasting Revisited


Published on

Given at DerbyCon 2019, this presentation covers Kerberoasting nuances we weren't aware of until recently.

Published in: Internet
  • Be the first to comment

DerbyCon 2019 - Kerberoasting Revisited

  1. 1. Kerberoasting Revisited @harmj0y
  2. 2. # whoami ▪ Job: Technical Architect at SpecterOps ▪ Co-founder: Veil-Framework, Empire, PowerView/PowerUp, BloodHound, GhostPack ▪ Cons: DerbyCon (since 4.0!), BlackHat, DEF CON 2
  3. 3. tl;dr ▪ Exactly how Kerberoasting works ▪ Kerberoasting Approaches ▪ msDS-SupportedEncryptionTypes ▪ Building a Better Kerberoast ▪ What’s Next 3
  4. 4. The Start… (DerbyCon 4.0!) 4 Thanks @timmedin!
  5. 5. 5 WMI PowerShell Remoting File Share SQL HOST/ HTTP/ HOST/ RPCSS/ CIFS/ MSSQLSvc/ dir computer.domain.comC$ 1. Here’s my TGT. I want a service ticket for: CIFS/ 2. Service ticket returned: CIFS/ 3. Use service ticket: CIFS/ Domain Controller Attacker
  6. 6. 6 dir computer.domain.comC$ 1. Here’s my TGT. I want a service ticket for: CIFS/ 2. Look up which (user or computer$) account has the CIFS/ service principal name (SPN) registered 3. Encrypt part of the service ticket with the key of looked- up account (computer$ here) 4. Target service decrypts the service ticket w/ shared computer$ key. Target service decides whether to allow access! File Share CIFS/ Domain Controller Attacker
  7. 7. ▪ The target service and the domain controller have to share some key so the service can decrypt the ticket ▪ For most SPNs, this is the computer$ account key/hash □ Random characters/not crackable, 30 day change window L ▪ But if the SPN is registered for a user account, we now have a piece of data that’s encrypted with their key □ Requesting this and cracking offline == Kerberoasting ! 7 Kerberoasting 101: Background
  8. 8. ▪ Service tickets (like TGTs) generally use either AES256_CTS_HMAC_SHA1_96 (AES256) or RC4_HMAC_MD5 (RC4/NTLM) keys for ticket encryption ▪ We really want RC4, since it’s orders of magnitude faster to crack 8 Kerberoasting 101: Key Encryption Types
  9. 9. ▪ ANY user can request ANY service ticket (by design!) ▪ No packets are sent to the service target unless we try to use the requested ticket! ▪ Translation: if a user has a non-null servicePrincipalName property, we can crack their password offline 9 Kerberoasting 101: Why Care
  10. 10. 10 Kerberoasting 101: Using the Goods ▪ If a user account has an SPN registered, the user often: □ has admin privileges on the machine specified in the SPN □ and/or is other privileged domain groups ▪ Even if they don’t/aren’t, with the key cracked, we can forge service tickets as ANY user to the specific SPN
  11. 11. External-In -Need creds (pw/hash) of existing domain account to first get a TGT so service tickets can be requested -More difficult over high latency C2 -But can granularly control all aspects of the exchange (i.e. RC4) Current Kerberoasting Approaches Domain-Joined Windows Host -Don’t need credentials, just execution in a domain user’s context -Easier over high latency C2 -Built-in request methods don’t let you control aspects (like encryption levels) of the exchange 11
  12. 12. ▪ The existing domain-joined Kerberoasting methods involve using setspn.exe or .NET’s KerberosRequestorSecurityToken class to request a service ticket for a target SPN ▪ The tickets are then carved out of memory (Mimikatz) or extracted using the GetRequest() method (PowerView) 12 Current Kerberoasting Approaches
  13. 13. ▪ Modern (2008+ functional level) domains are supposed to use AES keys by default for Kerberos ▪ So requesting a RC4 service ticket should result in “encryption downgrade activity” ▪ But built-in request methods for user-backed SPNs nearly always return RC4-encrypted service tickets 🤔 13 Sidenote: Kerberoasting Defenses
  14. 14. 14
  15. 15. msDS- SupportedEncryptionTypes ▪ AD user/computer account property touched on by Jim Shaver and Mitchell Hennigan in their DerbyCon 7.0 “Return From The Underworld” talk ▪ According to Microsoft’s [MS-ADA2], “The Key Distribution Center (KDC) uses this information [msDS- SupportedEncryptionTypes] while generating a service ticket for this account.” 15
  16. 16. msDS- SupportedEncryptionTypes ▪ According to MS-KILE the default value for this field is 0x1C (RC4 | AES128 | AES256 = 28) for Windows 7+ and Server 2008R2+ ▪ However, this property is only set by default on computer accounts (not user or trust accounts!) □ If this property is not defined/set to 0, [MS-KILE] says default behavior is to use a value of 0x7 (RC4) 16
  17. 17. 17 However we can set user accounts to explicitly support AES 128/256 encryption 0x18 (AES128 | AES256 = 24)
  18. 18. 18 But… 🤔
  19. 19. Why Care? ▪ There doesn’t seem to be an easy way to disable RC4_HMAC service ticket requests on user accounts, meaning we can’t “stop” RC4 Kerberoasting □ We can disable RC4 for the entire domain, but this also kills RC4 TGTs, which isn’t feasible for most environments ▪ Setting AES support for user accounts at least gives us the “encryption downgrade” detection 19
  20. 20. Downsides of Built-in Ticket Request Methods ▪ .NET/setspn approaches request/cache dozens (or hundreds) of service tickets on the attacker host ▪ .NET’s KerberosRequestorSecurityToken doesn’t let you specify encryption levels (RC4 vs AES) for ticket requests □ Since we don’t have a proper TGT, we can’t hard specify RC4 like Impacket/Metasploit 20
  21. 21. Obtaining a User’s TGT: The “tgtdeleg” Trick ▪ @gentilkiwi realized we can request an outgoing service ticket request for a SPN on an unconstrained delegation server (the domain controller) ▪ This results in a delegated TGT for the current user being present in the AP-REQ in a way we can retrieve it ▪ Translation: we get a usable TGT for the current user! 21
  22. 22. Rubeus: Building a Better Kerberoast ▪ Rubeus implements the structures needed for service ticket requests/responses ▪ Rubeus also implements Kekeo’s tgtdeleg trick ▪ Combined, this allows us to: a) avoid caching service tickets on the attacker- controlled host b) specify RC4 in the service ticket requests 22
  23. 23. Rubeus: Kerberoasting Opsec 23
  24. 24. Kerberoasting: What’s Next 24
  25. 25. One More Wrinkle… 25
  26. 26. Thanks!Any questions? ▪ @harmj0y ▪ will [at] Get Rubeus: ▪ 26
  27. 27. Credits Tim Medin for his groundbreaking Kerberoasting work Benjamin Delpy for Mimikatz and Kekeo ♡ Alberto Solino for his Kerberoasting/sname/Impacket work @fist0urs for his krb5tgs AES Hashcat work Matan Hart for his PowerView Kerberoasting contributions 27