Impacket GetUserSPNs & Kerberoasting Explained

00:00

so today we're going to take a look at a

00:02

technique called Kerberos sting not to

00:04

do this we're going to use an impact

00:05

script called get user SPNs

00:07

and we'll combine that with hash katz

00:09

and with the two of them we'll be able

00:10

to get a user accounts password now as

00:13

usual I've got two virtual machines set

00:15

up here one that's a domain controller

00:16

with this very basic Active Directory

00:18

domain and then another which is our

00:20

attacker machine which is not a member

00:21

of the domain completely separate now if

00:24

you've seen some of my previous videos

00:25

on Kerberos attacks a lot of this will

00:27

be very familiar we're basically doing

00:29

the same thing that we did in the attack

00:30

where we used in packets get MP users

00:32

script to attack accounts that don't

00:35

have Cobras pre authentication enabled

00:36

is a very similar thing but just with a

00:39

different part of the Kerberos

00:40

authentication mechanism so you'll

00:42

definitely recognize some things if

00:44

you've seen those videos if not don't

00:45

worry because I will try and explain

00:46

things in a decent amount of detail in

00:48

this one this is also going to leave

00:50

very nicely into another video which

00:52

will be coming very soon on Kerberos

00:54

silver tickets so I think to start with

00:55

we'll just do a very quick demonstration

00:57

of the attack and then I'll go through

00:59

and explain exactly how it works so if

01:01

we run get user SP ends dr py b in

01:03

packet script I'm just going to

01:05

familiarize myself with the syntax again

01:07

I'm pretty sure we literally just need

01:09

specify the domain first of all actually

01:12

as well we need to set our DNS server to

01:14

point to the machine that were going to

01:17

be attacking the domain controller to be

01:19

fair if all you're doing is this get

01:20

user SPN the script and the Kerberos

01:22

ting attack you could probably get away

01:24

with just doing the Dutch tcpip option

01:26

with the implicit script to specify the

01:28

DC IP address you probably don't need to

01:30

set your DNS server but it's going to

01:32

make things easier when we come to do

01:33

the Kerberos solve a ticket attack so

01:34

I'm just going to do it now and it will

01:36

also mean that we don't need to specify

01:37

the IP address with this get user SPN

01:39

script so we're going to here change

01:41

adapter options because the thing is

01:43

with Kerberos you need to use fully

01:45

qualified domain names you can't use IP

01:47

addresses by default anyway there is an

01:49

option you can set to enable that but by

01:52

default if you're using an IP address to

01:54

connect to something now you won't be

01:56

using Kerberos authentication or

01:58

fallback 2011 and for this attack we

02:00

need to use Kerberos authentication so

02:01

I'm going to just put in the domain name

02:05

and then the user account we're going to

02:07

use that is one thing to point out is

02:09

that for this attack you need to already

02:11

have some credentials they don't have to

02:13

be

02:13

anything special if we look at this

02:15

account that I'm going to use it's not a

02:17

member of any special groups so she just

02:19

domain users and some random security

02:21

group as there's no special permissions

02:24

required for this just any user account

02:26

in the domain so we're gonna specify the

02:27

domain and then the user and the

02:29

password and then that should be all we

02:33

need actually so let's just try that and

02:35

there we go we get some results again

02:37

I'm gonna explain exactly where these

02:38

results coming from what they all mean

02:39

but to start where they just want to do

02:41

a demo off the attack I'm just going to

02:42

prove that it works for people that just

02:44

literally want to see a step-by-step

02:45

guide of how to do it so if we do that

02:48

again we do - requests we will get TDs

02:52

or you can just think of it as a load of

02:54

encrypted data that was encrypted with

02:56

this accounts password so if we can

02:58

crack this then we can get this accounts

03:00

password and that is essentially what

03:01

the Kerberos ting technique is all about

03:03

so we'll take all this and we'll just

03:05

put it into hash cat just copy that and

03:07

to find out what mode we need to use in

03:09

hash cat have just gone to the house cat

03:11

examples we'll just search for Kerberos

03:14

it's not this one because we're not

03:16

doing an AS req attack we're doing a TGS

03:18

attack so it will probably be this on

03:20

here you can see there we've got the

03:21

type of encryption is type 23 if we go

03:24

back to our machine you'll see here

03:26

we've got type 23 is the encryption type

03:28

there so we'll just take this number

03:30

here 13100 M

03:33

13100 and then we will paste in the

03:37

information that we got from the script

03:40

or just say you want to use the rock

03:42

cued up text file to crack it go through

03:45

and in a few seconds there we go it was

03:50

correct it so the password was just set

03:52

to the same thing that I said leave

03:53

their account to obviously they would

03:54

normally be different passwords but you

03:56

see here the password is just password

03:57

with zero so we now know the password

04:01

for that SQL service account and we

04:03

didn't really have to do anything which

04:04

is wrong run scripts pass it into hash

04:06

cat and we get the passwords and that

04:09

will work for any user account in the

04:10

domain that has been set to run a

04:12

service that authenticates with Kerberos

04:14

and again all we needed with just any

04:16

domain credentials we don't need any

04:17

kind of admin rights or anything like

04:19

that so now that you've seen the attack

04:20

in action

04:21

let's take a look at how it actually

04:22

works and why this works so if we go on

04:24

to our domain control here

04:26

and we'll look at what actually makes

04:28

this account vulnerable essentially it's

04:30

the fact that it's a user account and

04:32

it's got in its attributes

04:35

after the service principle name it's

04:37

got some values in here that is

04:39

essentially all that makes it vulnerable

04:40

to this kind of attack so for an example

04:42

if we just create a new user account

04:45

test or just a password to test as well

04:50

I just got in the habit of always taking

04:55

those things okay

04:56

finally test isn't good enough password

04:58

will just use password with a zero again

04:59

then my favorite default okay so now

05:03

we've got that account in there because

05:04

we haven't set any service principle

05:06

names on it when we run this script it

05:10

won't find that account okay so we're

05:11

not seeing our test account in there but

05:14

as soon as we add a service principle

05:16

name you don't have to do this from the

05:18

attribute editor tab you can do it from

05:19

PowerShell and there's also a set SPN

05:21

executable that's included the windows

05:24

but I'm just used to doing it through

05:25

here I'm wondering why I can't see and

05:27

that's because I've got that tick so

05:28

only shows that we've already got values

05:30

in them yes if we go into here and we

05:33

add we just put a test slash test just

05:36

put anything in there by that and now if

05:40

we go back to our attack machine when

05:43

that same script again now we could

05:45

basically just get the password for this

05:47

test account because it's got a service

05:48

principle name set so why is that the

05:50

case and also why don't we see or why

05:54

don't we go after computer accounts

05:56

because if we look at a computer account

05:57

and we go to the area it's a tab look at

06:00

service principle name see that's got

06:02

loads of sales principle names so why

06:04

aren't we attacking that why doesn't the

06:06

script find that essentially because

06:08

computer accounts have very long complex

06:10

passwords that get automatically set by

06:12

the system every 30 days I think is by

06:14

default so trying to crack them is a

06:18

very very long process potentially

06:20

impossible I can't remember off the top

06:22

of my head what the password length is

06:24

but I've got a feeling it's something

06:25

like 150 characters of just random bytes

06:28

so we can't just throw with a rock you

06:30

password list at it and assume that

06:32

we'll get cracked or even doing a brute

06:34

force crack would take forever so that's

06:37

why we don't graph the computer accounts

06:38

user accounts on the other hand

06:40

as you've just seen we can set very dumb

06:42

passwords for passwords it will probably

06:44

be in a common password list and it's

06:46

quite common for people to do this to

06:47

create a user account to run a service

06:49

like if we open up services that Emma

06:51

see this is where an admin would set

06:54

this so we go to the MS SQL service

06:58

called SQL Server you can see here that

07:01

I've set that to run using that service

07:04

account so this is that account there

07:07

that SQL servers account we've set it to

07:09

run as that account we've had to put the

07:11

password in here and that's a pretty

07:12

common thing for admins to do because

07:14

say you've got a service that needs to

07:16

access some files especially if they're

07:18

on another server it's got access

07:19

something across the network if you just

07:21

leave this running as local system or

07:23

network service then when this goes to

07:25

connect out to a file server or whatever

07:27

to do something with those files say

07:28

this was running as network service like

07:30

this one here you've got a grant that

07:32

account permission to access those files

07:35

which now means every other service

07:37

that's running as a network service has

07:38

permission to access those files and if

07:41

they were on a remote file server now

07:43

you've got to grant the computer account

07:44

for the services running on you've got

07:46

to grant that permission to access those

07:47

files which means that any service on

07:49

this entire computer that can access

07:52

things over the network has now got

07:53

permission to access those there are

07:55

some ways around that I'm not going to

07:56

go into that too much I'm just trying to

07:58

give you a rough idea of why someone

07:59

would actually set a service to run as a

08:01

user account and like you can use these

08:03

NT service accounts now that's fine for

08:05

accessing local files and resources

08:07

because now you can grant permissions to

08:09

this virtual service account that's

08:10

technically the name of them virtual

08:11

service accounts if you want to look

08:13

into them more yeah they get created for

08:15

each service and it'll just be NT

08:16

service slash the name of the service so

08:19

yeah that's fine for local access but if

08:21

you want to access something across the

08:22

network then again you're gonna have to

08:24

grant permission to the computer account

08:25

which means any service on this entire

08:28

computer can now access those resources

08:29

and that might not always be desirable

08:31

so that's a reason for using an actual

08:33

user account in the domain because now

08:35

you can grant permissions anywhere on

08:37

the network to that user account and

08:38

then set the service to run as that user

08:40

account and now only that service can

08:42

access those files and resources the

08:44

best solution though is to use a managed

08:46

service accounts or a group managed

08:47

service account and they are user

08:50

accounts in Active Directory that

08:51

essentially behave like computer

08:53

accounts

08:53

get their passwords set to those long

08:55

complex passwords and changed

08:56

automatically and then you can use them

08:58

to run a service so that's kind of the

09:00

solution to this but I'll be honest

09:02

they're not particularly well I was

09:04

gonna say they're not well supported

09:05

they out likely do they work perfectly

09:08

but actually working with them as a bit

09:10

of a pain like you can't just right

09:11

click here and create a new my service

09:13

account maybe there's some newer tools

09:15

since I last looked into them that make

09:17

it easier to use now but yeah when they

09:18

first came out managed in group managed

09:20

service accounts you had to do it all

09:22

with PowerShell and it was a little bit

09:23

awkward so there we go that was a bit of

09:25

a long tangent but I hopefully

09:26

understand that it is kind of common for

09:28

people to set services to run as a user

09:31

account from Active Directory so if that

09:33

service in this case SQL Server that

09:35

service wants to use Kerberos

09:37

authentication or wants to support

09:38

Kerberos authentication it has to have a

09:40

service principle name that's just part

09:42

of the way that Kerberos works I'm not

09:44

going to go into that too much right now

09:45

but long story short it has to have a

09:47

service principle name for it in order

09:49

for it to be able to respond to Kerberos

09:51

authentication requests and that service

09:53

principle name as you can see is made up

09:55

from the service name which can be

09:57

whatever the service wants it to be and

09:58

then the Machine name and optionally a

10:01

port number also optionally you don't

10:03

have to have the full fully qualified

10:05

domain name there you'll see in a lot of

10:06

the default ones here it'll just have or

10:13

it'll have both sites so I'll have the

10:14

service and then just the computer name

10:16

and then I'll have the service and the

10:17

computer name and the fully qualified

10:19

domain name that's because when a client

10:20

tries to connect to one of these

10:21

services it has a few options of how it

10:24

could specify the name you see there's

10:25

different variations again so the

10:28

service principle names have to support

10:29

each of those that a client could

10:30

potentially use so going back to our SQL

10:33

SVC account so we know that it's got

10:35

these SP ends how does the in package

10:38

script take advantage of that go back to

10:41

our workstation essentially all the

10:43

script is doing in this part here where

10:45

we just run it the first time without

10:46

that request all it's doing is just an

10:48

LDAP search just to find any user

10:50

accounts that have got a service

10:51

principle name we could do this

10:53

ourselves just as easily and I'm gonna

10:55

do this from the DC just so I don't have

10:57

to bother setting up like a reverse

11:00

shell and but assume that you were doing

11:02

this remotely you can do this with like

11:05

LDAP search or if you had a reverse

11:07

all going on the remote machine you

11:08

could do it this way but yeah it's just

11:09

a nailed up so if we do like get a V

11:11

user we set an LDAP filter do a service

11:15

principle name equals anything this is

11:19

going to find any user accounts that

11:21

I've got a service principle name all

11:23

right would if I actually put the dash

11:25

in the right place there we go

11:26

so what does that found is found the

11:28

krbtgt account which we can ignore

11:30

that's a built in Kerberos kind of

11:33

master key account which I've covered in

11:34

other videos the golden ticket one

11:36

specifically but yeah so other than that

11:38

it's found our SQL SVC account and it's

11:41

found our test account which is exactly

11:42

what the impact script found if we

11:43

wanted to actually see the results so

11:47

just do properties and we'll say

11:49

1includes so as principal name so now we

11:54

can see we get this after we added to

11:56

the results and it shows us the SPN for

11:58

each of these accounts so here we're

11:59

seeing those same SV ends that we saw in

12:01

actual Directory users and computers so

12:04

that's essentially all the implicit

12:05

script is doing at that point it's just

12:07

doing an LDAP search for user accounts

12:08

that have any value in the service

12:10

principal name so nothing crazy there

12:12

nothing special so we flick back to the

12:14

workstation what it does when we do dat

12:16

request though is if we open up

12:18

Wireshark this is where things will get

12:22

very familiar for people who have seen

12:23

the get MP users video we just do a

12:26

capture on the network card and we run

12:28

that stop this I'm gonna filter it for

12:33

Kerberos now what we can see is that we

12:35

get the normal Kerberos kind of

12:37

handshake going on to authenticate the

12:38

user account and this is authenticating

12:40

legitimate user account the a Smith

12:42

account and in a previous video where we

12:45

were looking at Kerberos pre

12:46

authentication and the get NP user

12:48

script this part here basically wouldn't

12:50

happen because if pre off is disabled we

12:53

kind of skip this part and we go

12:54

straight to here where we just get back

12:56

some encrypted data that's encrypted

12:57

with the users password and we can crack

12:59

it again that's covered in a previous

13:01

video I'm not going to go over that now

13:02

so even though preauth is enabled on

13:03

this account

13:04

we've got legitimate credentials for

13:05

this a Smith account so we're fine then

13:08

we move on to the tds part now these are

13:11

doubled here because we've got one where

13:13

we're requesting that test service and

13:15

then we've got the one where we're

13:16

requesting the SQL service so we're just

13:17

gonna ignore test service or focus on

13:19

this

13:20

well part so now going to explain

13:21

everything that Kerberos does but for

13:23

this part we're going to focus on just

13:25

accept that we log on as a legitimate

13:28

user account we get what's called a TGT

13:30

and then we can use that TGT to request

13:33

a ticket for a service the TGT proves

13:36

that we are who we say we are so in this

13:37

case we're saying I am a Smith our user

13:40

account and I want to access this mssql

13:42

service on this computer the Kerberos

13:45

service or the domain controller in this

13:46

case you would think would do some kind

13:49

of like authorization check to see if

13:51

this user account is allowed to access

13:52

this service but it doesn't it just says

13:55

sure here's a TGS which is another kind

13:57

of ticket for that service you can use

13:59

that to access the service now it's then

14:02

up to the service itself to decide if

14:03

this user account is allowed which is

14:05

fine because the service will look at

14:08

this this encrypted data here which

14:10

we'll get onto in a second this contains

14:11

the the user's username and the groups

14:14

are they're a member of so the service

14:16

can look at that because it can decrypt

14:17

this again I'll explain how why in a

14:19

second

14:19

it can decrypt that you can see this

14:21

user is a member of these groups it's

14:23

got this username this security ID are

14:25

they allowed in satisfying the access

14:27

controls how things is still okay it's

14:29

not as if this part here means that we

14:30

can now just access every service in the

14:32

world the service can still easily deny

14:34

us access but to actually do the

14:36

Kerberos authentication side of things

14:37

we need to pass it this TGS ticket and

14:40

that's what it's sending back to us here

14:42

this TGS rep is the domain control

14:44

sending as a ticket the we can then pass

14:45

on to whatever service this is that

14:47

we're trying to access so this encrypted

14:49

part is the important bit really because

14:51

it's encrypted with this e type of 23

14:53

and if you remember in the hash code

14:55

examples let me show you it we ended up

14:57

using this here because it's a TGS rep

15:00

and it's a type 23

15:01

okay so Kerberos TDS rep e type 23 we go

15:05

back to our machine we'll see we've got

15:08

the Kerberos TGS rep e type 23 so that's

15:11

why we use that hash cap mode to decrypt

15:13

this text here so like I've said

15:15

multiple times this is encrypted and

15:16

it's encrypted using the password of the

15:19

service account that is running this

15:21

service ok so this is the service front

15:23

access and those service principle names

15:25

that we were looking at earlier the SP

15:27

ends they tie that user account which

15:29

was called SQL SVC in our case that SQL

15:32

SVC user account is

15:33

to this service because it has service

15:36

principle name that matches this service

15:38

and this machine name okay so that means

15:40

that Kerberos and the drain controller

15:42

knows that that account is what is

15:44

running this service so when it sends

15:46

out a TDS for this service again the TDS

15:49

is just a ticket that the user gets back

15:51

and that they can then pass on to the

15:53

service to prove that they are who they

15:55

say they are and that they are a member

15:56

of these groups and the way we prove

15:58

that is the fact that this is encrypted

16:00

with the password of the service account

16:02

because the user doesn't know the

16:04

password of the service account in

16:05

theory the only things that know the

16:07

password of the service account are the

16:09

service because it's running as that

16:10

service account and the domain

16:11

controller because that's where the

16:13

password is stored so that acts as like

16:14

a shared secret key for all of this and

16:17

that proves the authenticity of this

16:19

whole ticket that we're sending so now

16:22

when the service receives this request

16:24

from us we pass on this ticket this

16:25

encrypted ticket to the service it can

16:28

decrypt it because it's got its own

16:29

password and then it can read the

16:31

contents of it if we tried to just fake

16:33

our own ticket that said I'm a member of

16:35

the domain admins and we send that off

16:36

to the service we wouldn't have the

16:38

password to encrypt this correctly so

16:40

the service would decrypt it using its

16:41

password it would just fail the

16:43

decryption it wouldn't make any sense so

16:45

we would know this wasn't a legitimate

16:47

ticket obviously where this all falls

16:49

down though is if we do manage to get

16:50

the password for this account which is

16:52

what we've just done with this attack so

16:54

then we can just fake this whole ticket

16:56

ourselves we can say I am a member of

16:58

domain admins might say it is the

17:00

administrator SID we could fake it we

17:03

encrypt all of that with the password

17:04

that we know for the service account

17:06

create this whole ticket send it off to

17:08

the service we don't even have to talk

17:10

to a domain controller at all we just

17:11

talk to the service because we use the

17:14

right password to encrypt all this it

17:15

can decrypt it thinks it's legitimate

17:17

and then it thinks we're a member of

17:19

domain admins and that is basically what

17:20

Kerberos silver ticket attack is but

17:22

we're going to look at that in more

17:23

detail and do a demo of that in the next

17:25

video but yeah for this one that is

17:27

probably about it I feel like I've been

17:30

a little bit quick going over all this

17:31

stuff and maybe some diagrams would help

17:33

when we're talking about you know

17:34

passing tickets around but to be fair

17:36

there's a lot of examples online if you

17:38

just search for like Ross authentication

17:40

diagram or something you'll see exactly

17:42

how it all kind of flows it's not that

17:43

complicated it seems it at first

17:44

especially when you're looking at it in

17:46

why

17:47

but it's really fairly straightforward

17:48

and some good videos and good articles

17:50

that explain it this is a real quick

17:51

recap just to kind of rundown of the

17:53

whole process the whole attack starts by

17:55

us having some legitimate credentials

17:57

use those to authenticate with a domain

17:59

controller and do an LDAP search to find

18:01

any user accounts that have a service

18:03

principle name associated with them

18:05

because that means that when we request

18:07

a TGS for that service so we request a

18:09

TDS for this service here we'll get some

18:12

data back that is encrypted with the

18:13

password of this account which is what

18:16

this data here is we can then crack that

18:18

offline with hash cap and get the

18:19

password for this account now that's

18:22

kind of the end of that attack but it

18:23

feeds very nicely into a silver ticket

18:25

attack obviously we could now that we've

18:27

just got the password for this account

18:28

we could just look around as that

18:29

account you know maybe that's got access

18:31

to something special that we didn't have

18:32

access to with these credentials that's

18:34

quite likely because it's a service

18:36

account you can probably do more than a

18:37

regular user account and so that is a

18:39

perfectly valid attack on its own but

18:42

like I say it feels very nicely into a

18:43

silver ticket attack because now we can

18:45

forge our own TDs and just claim to be a

18:48

member of whatever groups who want so I

18:50

think that covers it let me know if you

18:51

have any questions I will do my best to

18:53

answer them in the comments as always

18:54

and yeah I will see you in the next

18:56

video