Kerberoasting 攻击

1 背景

Kerberoasting attack is a domain password attack method released by Tim Medin on DerbyCon 2014. Tim Medin also released a supporting attack tool kerberoast. Since then, many researchers have improved and expanded Kerberosting and developed and released a large number of tools on GitHub, making Kerberosting gradually evolved into one of the common methods of domain attacks.

2 原理

The authentication and authorization process of the kerberos protocol, involving the use of NTLMs of different accounts as keys to encrypt data

Use domain user's NTLM encryption authentication request ticket

KDC NTLM encryption certified tickets using Krbtgt account TGT

KDC uses NTLM encryption authorized tickets for the service account running the service TGS

Kerberos uses exposed symmetric encryption algorithms

y=f(x, key) is a known symmetric encryption algorithm, such as rc4_hmac_nt, etc.

x is the data to be encrypted, containing a time stamp, and other contents in fixed format;

key is the encryption key, that is, NTLM; y is the encrypted secret data.

If y can be obtained from the Kerberos domain network, different x can be calculated based on the known algorithm using different f.

Since x contains a simple and easy-to-identify timestamp, the timestamp can be used to quickly determine whether the data decryption is correct, thereby determining whether the key used is the password to be found.

The simpler the key, the lower the intensity of the encryption algorithm f, the greater the probability of being cracked. Therefore, it is necessary to find an account with a simple key and use a lower intensity encryption algorithm f.

3 账号类型

There are three main types of account in the domain, including host account, user account, service account (SPN is registered under the domain user account) and so on.

The password of the host account is randomly set by the system and can hardly be cracked, and it is automatically changed every 30 days

The password complexity of a user account depends on the strategy, and it is difficult to crack in a domain with high complexity requirements.

3.1 服务账号的口令存在很大的特殊性

Password is often automatically set when installing the application software, and the complexity is often simpler

The password will hardly change because most application software does not provide the function and interface to modify the service account, such as the sqlsvc account running the MS SQL Server service, etc.

The service account basically meets the condition that the password is low and can be used as a cracking object.

To achieve the cracking conditions, you also need to obtain the encrypted data, and you need to obtain the confidential data of the service account

Since TGS is encrypted by the NTLM of the service account, you can obtain the secret data by obtaining the TGS of the access service, which is step 4 in the Kerberos protocol.

Under the Kerberos protocol, any user can request access to a service from the domain server

The service may not be online, as long as the service has registered SPN (Service Principal Name) in the domain.

4 SPN

4.1 SPN 相关概念

SPN is the unique identifier of the service running on the server. Each service using Kerberos requires an SPN

SPN is divided into two types: one is registered under the computer account on AD and the other is registered under the domain user account (Users).

When a service's permission is Local System or Network Service, the SPN is registered under the Machine Account (Computers)

When a service's permissions are a domain user, the SPN is registered under the domain user account (Users)

The format of SPN is serviceclass/host:port/servicename

where serviceclass represents the type of service, such as www represents web services;

Try to use FQDN to represent host;

If the port is a well-known port, it can be omitted.

4.2 查询 SPN

SPN exists in the attributes of the account, so you can traverse all SPN services in the domain by querying the attributes of all accounts. Because the password of the host account is almost impossible to crack, only the SPN of the user account is queried.

The system provides PowerShell module for querying. PowerViewer encapsulates the module and provides the Get-DomainUser -SPN command to traverse the SPNs of all user accounts in the domain.

Tools included with Win7 and Windows Server 2008

setspn.exe -q */*

In some domains, when some services no longer run or stop the service, these service accounts may still be left in the domain. Since the operation or not of the service does not affect our acquisition of TGS, these non-existent SPNs are still applicable to Kerberoasting.

Some service accounts have higher permissions, for example, some special services require service accounts with domain administrator privileges to run normally. Therefore, they can be marked and filtered when querying SPNs as the target of key attacks. The method is to add the AdminCount parameter when using the Get-DomainUser -SPN command to indicate that it has high permissions.

5 攻击流程

Get the service account in the domain to correspond to the service running

You need to obtain the TGS to access these services, so as to obtain the encrypted data encrypted by the service account NTLM

Mimikatz provides this feature, which can be obtained through the ask command of the Kerberos module.

Use Mimikatz to obtain only one TGS at a time. The impacket toolkit provides a batch acquisition method, which can obtain TGS of all SPNs in the domain at once for offline batch cracking.

In order to solve the compatibility issues of old and new versions of the system, Microsoft will support multiple encryption algorithms, such as AES, DES, RC4, MD5, etc. In Windows 2003 and Windows 2000 systems, algorithms such as RC4, MD5, HMAC_MD5 are mainly used, which are relatively easy to crack. Therefore, when choosing the key points to crack, try to select services running on these systems

There are several ways to force the system to choose to use a less powerful encryption algorithm. The algorithm that is easier to crack now is the RC4_HMAC_NT algorithm. When acquiring TGS, the domain server can be induced to use this algorithm for encryption.

All conditions for a Kerberoasting attack

Confidential data

algorithm

Password Dictionary Library

Use Tim Medin's kerberoast tool to crack the password, and of course the HashCat tool with faster algorithms. After downloading the decompression kerberoast tool, use tgsrepcrack.py wordlist.txt tgs.kirbi to crack, where wordlist.txt is the dictionary file and tgs.kirbi is the TGS obtained earlier. The probability and time of cracking depend on password complexity, dictionary, and machine performance.

./tgsrepcrack.py wordlist.txt test.kirbi

6 防御

The main premise of Kerberoasting attack is that the password complexity is low and the encryption algorithm is weak.

The attack against Kerberosting also needs to be carried out from these 2 aspects

Improve the password complexity of service accounts;

Try to upgrade the server system in the domain to at least Windows 2008 system, and apply AES256 difficult encryption algorithm

Detecting Kerberosting attacks is difficult because all online operations are legal and normal operations, but there are still traces to follow. For example, batch acquisition of TGS is a feature, and low-intensity encryption algorithm is a feature. It is a relatively effective detection idea to start from these two aspects.