Impacket Deep Dives Vol. 2: Attacking Kerberos

Kyle Mistele
6 min readJun 5, 2021

--

Cerberus: the 3-headed guard of the underworld in Greek myth

Overview

In my previous post, I discussed different ways to get command execution on Windows hosts with Impacket. In this post, I’m going to discuss how to attack Kerberos in Windows Active Directory with Impacket’s toolset.

There are a lot of tools out there for attacking and pentesting Kerberos, but lots of them are written in Powershell or C#. One of the things I like about Impacket’s suite is that it’s written in Python, so it’s easily cross-compatible between Windows and Linux.

In this post, I’m going to assume that you have a working knowledge of how Kerberos works, and some knowledge of common Kerberos vulnerabilities might be helpful. If you want to brush up on Kerberos before reading this, allow me to point you towards this excellent article: https://www.tarlogic.com/en/blog/how-kerberos-works/

Lab Setup

For the purposes of this series, I’ve built a (very) small Active Directory lab with a Domain Controller and two Windows workstations that are joined to the domain:

  • KANTO.local/CHARIZARD-DC 10.0.1.51
  • KANTO.local/SQUIRTLE 10.0.1.52
  • KANTO.local/IVYSAUR 10.0.1.53

Now that you’re up to speed, let’s get into it!

Attack I: ASREP Roasting

Unlike some of the attacks that will be covered later in this article, ASREP Roasting is somewhat uncommon, so I’ve provided a section on the theory of how the attack works as well as details on how to exploit it.

Theory

The underlying vulnerability in Kerberos that ASREP Roasting exploits is that there is an optional (non-default) flag for user accounts called UF_DONT_REQUIRE_PREAUTH. The flag is intended to support backwards compatibility with older versions of Kerberos. If this flag is set for a user account, a TGT (in a KRB_AS_REP, hence ASREP Roasting) may be requested via a KRB_AS_REQ (details of these messages can be found in RFC 4120) message without requiring pre-authentication. In essence, if you have a username or usernames of domain users that have this flag set, you can request TGT’s for them.

Once you have the KRB_AS_REP messages, you can take them offline and crack the part that is encrypted with the user’s password hash to obtain their password. Harmj0y has a great blog post on this technique and developed PowerShell tooling to launch this attack.

Exploitation

To exploit this vulnerability with Impacket, we need a list of usernames to try to ASREP Roast. If possible, you should try to use LDAP to query the domain for users with the flag set, but that does require domain access. If you want, you can blindly use this attack with a wordlist of usernames that may or may not exist in the domain, but be aware that requesting TGTs for accounts that don’t have the flag set will move you one attempt closer to password lockout.

Here’s the syntax for the command:

GetNPUsers.py $DOMAIN/ -dc-ip $DC_IP_ADDR -no-pass -usersfile $USERFILENAME -outputfile $OUTPUTFILENAME -format [john|hashcat]

Once we have the wordlist, we can run the command itself. Note that in this case, my wordlist contains a few users that don’t have the flag set as well as some that do, hence the error messages.

ASREP Roasting the users on our wordlist

Then we can take the output file and crack it with John or Hashcat depending on the hash type specified in the previous command. You should always use Hashcat if you can since it tends to be faster. john $HASH_FILE --wordlist=/path/to/wordlist

Cracking the ASREP Roasted Users’ passwords

Check your ~/.john/john.pot file and you should see each cracked hash next to its ASREP. Profit.

Attack II: Kerberoasting

Kerberoasting is a super common and well-known attack, so I won’t go into details on the mechanics of how it works here. To successfully launch the attack, you need credentials for a domain user (or an NTLM hash, or a Kerberos ticket). The attack will give you a file of hashes that you can crack with either John the Ripper or with Hashcat — it appears to be compatible with both.

GetUserSPNs.py $DOMAIN/$USER:$PASSWORD -dc-ip $DC_IP_ADDR -outputfile $OUTFILE

Attack III: Golden Ticket

Impacket contains tools for both forging and using golden tickets, so in this section, I’m going to go over how to forge one, and then how to actually use it with Impacket’s various tools for command execution.

Forging a Golden Ticket

To forge a golden ticket, we need a couple of pieces of information: the NTHash of the krbtgt account on the domain controller and the domain SID. We can find this information using Impacket’s secretsdump.py script, assuming that we have Administrator access to the domain controller:

Finding the NTHash for the krbtgt account

Then, we can use Impacket’s lookupsid.py tool to find the domain SID. In the example below I used the DC as the target, but this should work with any domain computer.

Finding the domain SID

Then, you can use Impacket’s ticketer.py to forge a golden ticket for a domain user:

Forging a golden ticket for the domain administrator “brock”

Using a Golden Ticket

If you have a golden ticket in the .kirbi format (commonly used by Mimikatz and various PowerShell tools), you need to convert it into a .ccache file, as shown below. If you forged it with ticketer.py, you should already have a .ccache file and can skip this step.

Converting a .kirbi file into a .ccache file

Then, you need to set the KRB5CCNAME environment variable to the path to the .ccache file. Both absolute and relative file paths work, although the latter only works as long as you’re in the same directory as the file. This variable tells Impacket tools that support Kerberos tickets where to find the ticket.

Setting the KRB5CCNAME environment variable for Impacket

Then, we can use PsExec (or another of Impacket’s command execution tools — I wrote a blog post detailing all of them here) to load and authenticate with the ticket and get command execution. Regardless of whether we’re using psexec.py, smbexec.py, wmiexec.py or another tool, the command normally looks likescriptname.py $DOMAIN/$USER:$PASS@$TARGET . For Kerberos authentication, it’s going to look a little different. We need to specify the target IP address, the DC’s IP address, and the target domain name:

scriptname.py $DOMAIN/$USER@$TARGET_NAME -target-ip $TARGET_IP -dc-ip $DC_IP -no-pass -k

The -no-pass and -k options tell impacket to skip password-based authentication and to use the Kerberos ticket specified by the KRB5CCNAME environment variable, respectively:

Using a golden ticket

Note that this technique for using Kerberos tickets works for any Ticket, not just golden and silver tickets!

Attack IV: Silver Ticket

This attack is very similar to the golden ticket attack, so I’m just going to briefly give the command to forge it:

ticketer.py -nthash $SERVICE_NT_HASH -domain-sid $DOMAIN_SID -domain $DOMAIN -dc-ip $DC_IP_ADDR -spn $SERVICE_SPN $USER

Footnote: Attack V: Abusing Unconstrained Delegation

Theory

Delegation is a way to allow a service or computer to impersonate domain users elsewhere in the domain. There are two types of delegation: constrained and unconstrained. Constrained delegation allows you to specify a variety of SPNs that the service is allowed to impersonate. Unconstrained delegation allows a service or computer to impersonate any domain user. Unconstrained delegation is especially common in older domains — before 2003 constrained delegation wasn’t an option.

Exploitation

Exploiting unconstrained delegation is a pretty long and involved process, so I’m adding it as a footnote here. If you’re interested in reading a solid write-up on how to exploit it, pour yourself a cup of coffee and check out this article.

Conclusion

In this article, I’ve gone over how to exploit common vulnerabilities in Kerberos and Active Directory using the Impacket suite. Let me know what you think below!

--

--

Kyle Mistele
Kyle Mistele

Written by Kyle Mistele

Student, hacker, OSCP. My other computer is your computer.

No responses yet