Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

DerbyCon 2019 - Kerberoasting Revisited

Given at DerbyCon 2019, this presentation covers Kerberoasting nuances we weren't aware of until recently.

  • Identifiez-vous pour voir les commentaires

DerbyCon 2019 - Kerberoasting Revisited

  1. 1. Kerberoasting Revisited @harmj0y
  2. 2. # whoami ▪ Job: Technical Architect at SpecterOps ▪ Co-founder: Veil-Framework, Empire, PowerView/PowerUp, BloodHound, GhostPack ▪ Cons: DerbyCon (since 4.0!), BlackHat, DEF CON 2
  3. 3. tl;dr ▪ Exactly how Kerberoasting works ▪ Kerberoasting Approaches ▪ msDS-SupportedEncryptionTypes ▪ Building a Better Kerberoast ▪ What’s Next 3
  4. 4. The Start… (DerbyCon 4.0!) 4 Thanks @timmedin!
  5. 5. 5 WMI computer.domain.com PowerShell Remoting File Share SQL HOST/ HTTP/ HOST/ RPCSS/ CIFS/ MSSQLSvc/ dir computer.domain.comC$ 1. Here’s my TGT. I want a service ticket for: CIFS/computer.domain.com 2. Service ticket returned: CIFS/computer.domain.com 3. Use service ticket: CIFS/computer.domain.com domain.com Domain Controller Attacker
  6. 6. 6 dir computer.domain.comC$ 1. Here’s my TGT. I want a service ticket for: CIFS/computer.domain.com 2. Look up which (user or computer$) account has the CIFS/computer.domain.com service principal name (SPN) registered 3. Encrypt part of the service ticket with the key of looked- up account (computer$ here) 4. Target service decrypts the service ticket w/ shared computer$ key. Target service decides whether to allow access! computer.domain.com File Share CIFS/ domain.com Domain Controller Attacker
  7. 7. ▪ The target service and the domain controller have to share some key so the service can decrypt the ticket ▪ For most SPNs, this is the computer$ account key/hash □ Random characters/not crackable, 30 day change window L ▪ But if the SPN is registered for a user account, we now have a piece of data that’s encrypted with their key □ Requesting this and cracking offline == Kerberoasting ! 7 Kerberoasting 101: Background
  8. 8. ▪ Service tickets (like TGTs) generally use either AES256_CTS_HMAC_SHA1_96 (AES256) or RC4_HMAC_MD5 (RC4/NTLM) keys for ticket encryption ▪ We really want RC4, since it’s orders of magnitude faster to crack 8 Kerberoasting 101: Key Encryption Types
  9. 9. ▪ ANY user can request ANY service ticket (by design!) ▪ No packets are sent to the service target unless we try to use the requested ticket! ▪ Translation: if a user has a non-null servicePrincipalName property, we can crack their password offline 9 Kerberoasting 101: Why Care
  10. 10. 10 Kerberoasting 101: Using the Goods ▪ If a user account has an SPN registered, the user often: □ has admin privileges on the machine specified in the SPN □ and/or is other privileged domain groups ▪ Even if they don’t/aren’t, with the key cracked, we can forge service tickets as ANY user to the specific SPN
  11. 11. External-In -Need creds (pw/hash) of existing domain account to first get a TGT so service tickets can be requested -More difficult over high latency C2 -But can granularly control all aspects of the exchange (i.e. RC4) Current Kerberoasting Approaches Domain-Joined Windows Host -Don’t need credentials, just execution in a domain user’s context -Easier over high latency C2 -Built-in request methods don’t let you control aspects (like encryption levels) of the exchange 11
  12. 12. ▪ The existing domain-joined Kerberoasting methods involve using setspn.exe or .NET’s KerberosRequestorSecurityToken class to request a service ticket for a target SPN ▪ The tickets are then carved out of memory (Mimikatz) or extracted using the GetRequest() method (PowerView) 12 Current Kerberoasting Approaches
  13. 13. ▪ Modern (2008+ functional level) domains are supposed to use AES keys by default for Kerberos ▪ So requesting a RC4 service ticket should result in “encryption downgrade activity” ▪ But built-in request methods for user-backed SPNs nearly always return RC4-encrypted service tickets 🤔 13 Sidenote: Kerberoasting Defenses
  14. 14. 14
  15. 15. msDS- SupportedEncryptionTypes ▪ AD user/computer account property touched on by Jim Shaver and Mitchell Hennigan in their DerbyCon 7.0 “Return From The Underworld” talk ▪ According to Microsoft’s [MS-ADA2], “The Key Distribution Center (KDC) uses this information [msDS- SupportedEncryptionTypes] while generating a service ticket for this account.” 15
  16. 16. msDS- SupportedEncryptionTypes ▪ According to MS-KILE the default value for this field is 0x1C (RC4 | AES128 | AES256 = 28) for Windows 7+ and Server 2008R2+ ▪ However, this property is only set by default on computer accounts (not user or trust accounts!) □ If this property is not defined/set to 0, [MS-KILE] says default behavior is to use a value of 0x7 (RC4) 16
  17. 17. 17 However we can set user accounts to explicitly support AES 128/256 encryption 0x18 (AES128 | AES256 = 24)
  18. 18. 18 But… 🤔
  19. 19. Why Care? ▪ There doesn’t seem to be an easy way to disable RC4_HMAC service ticket requests on user accounts, meaning we can’t “stop” RC4 Kerberoasting □ We can disable RC4 for the entire domain, but this also kills RC4 TGTs, which isn’t feasible for most environments ▪ Setting AES support for user accounts at least gives us the “encryption downgrade” detection 19
  20. 20. Downsides of Built-in Ticket Request Methods ▪ .NET/setspn approaches request/cache dozens (or hundreds) of service tickets on the attacker host ▪ .NET’s KerberosRequestorSecurityToken doesn’t let you specify encryption levels (RC4 vs AES) for ticket requests □ Since we don’t have a proper TGT, we can’t hard specify RC4 like Impacket/Metasploit 20
  21. 21. Obtaining a User’s TGT: The “tgtdeleg” Trick ▪ @gentilkiwi realized we can request an outgoing service ticket request for a SPN on an unconstrained delegation server (the domain controller) ▪ This results in a delegated TGT for the current user being present in the AP-REQ in a way we can retrieve it ▪ Translation: we get a usable TGT for the current user! 21
  22. 22. Rubeus: Building a Better Kerberoast ▪ Rubeus implements the structures needed for service ticket requests/responses ▪ Rubeus also implements Kekeo’s tgtdeleg trick ▪ Combined, this allows us to: a) avoid caching service tickets on the attacker- controlled host b) specify RC4 in the service ticket requests 22
  23. 23. Rubeus: Kerberoasting Opsec 23
  24. 24. Kerberoasting: What’s Next 24
  25. 25. One More Wrinkle… 25
  26. 26. Thanks!Any questions? ▪ @harmj0y ▪ will [at] harmj0y.net Get Rubeus: ▪ https://github.com/GhostPack/Rubeus 26
  27. 27. Credits Tim Medin for his groundbreaking Kerberoasting work Benjamin Delpy for Mimikatz and Kekeo ♡ Alberto Solino for his Kerberoasting/sname/Impacket work @fist0urs for his krb5tgs AES Hashcat work Matan Hart for his PowerView Kerberoasting contributions 27