We analyze attacks on Kerberos using Rubeus. Part 2

6 min


This is the second part of the article about the capabilities of the Kerberos protocol attack tool, Rubeus. The first can be read here. This time we will consider how to use the tool to implement the following attacks:

– Overpass The Hash / Pass The Key (PTK);
– Pass The Ticket;
– Unconstrained Delegation;
– Constrained Delegation.

A lot has already been written about why these attacks are possible, what mechanisms of their implementation exist, what principle underlies the work of Kerberos (for example, colleagues from Jet Infosystems published a good article with analysis), so in my article I will focus on the implementation of attacks with using Rubeus.

In addition to the “actions” for carrying out attacks and interaction with Kerberos, Rubeus has a small pleasant trifle: based on the password in the clear, it can calculate the NTLM hash, which is sometimes very convenient and useful.

This is a little digression finished, back to the main part.
The test bench for conducting attacks has remained unchanged since the first part of the article.

Overpass The Hash / Pass The Key (PTK)

From Wikipedia, the free encyclopedia

Attack Pass-the-hash – One type of replay attack. It allows an attacker to log in to a remote server that is authenticated using the NTLM or LM protocol.

But what if the network has NTLM or LM authentication disabled and only Kerberos authentication is used, and you have a password hash? This is where Overpass-the-hash comes into play – using the existing password hash of a user, Rubeus can request a TGT ticket for this account.

Here the Barsik domain user decided to study information security issues, somewhere he got the password hash of the ADadmin domain administrator, downloaded Rubeus, read smart articles and tried to put it into practice.

We see that he does not have cached tickets, as well as no access to the domain controller DC-16.meow.local, but then Barsik launches Rubeus with “action” asktgt and arguments /domain, /user, /rc4, /pttto get a valid TGT ticket based on the existing password hash of the ADadmin account, argument /ptt immediately download the received ticket to the current session of the Barsik user.

The ticket is received and uploaded, Barsik tries to log in to the domain controller as Adadmin again.

And this time he succeeds.

Pass The Ticket (PTT)

This attack is similar to Overpass-the-hash / Pass-the-key, the attacker tries to get a domain user ticket (preferably having maximum privileges in the domain) and load it into the current session. One way to get TGT tickets is to dump tickets locally on the current domain machine from the process lsass.exe (Local Security Authentication Server). To do this, you must have local administrator privileges, and preferably NT AUTHORITY / SYSTEM. Rubeus can unload tickets stored in lsass using the “action” dump, and the “action” triage will show which tickets are currently stored in the system.

Rubeus unloads tickets from lsass encoded base64, while in the tool itself there is a note on how to save the received base64 format ticket .kirbi.

Save and import the ticket into the current user session.

As can be seen from the screenshot, the ADadmin ticket was successfully loaded and we can see the contents of drive C on the domain controller DC-16.meow.local on behalf of ADadmin.

Unconstrained delegation

Unconstrained Delegation – This is a privilege in the domain that can be granted to user or computer accounts. It allows an account to authenticate to a service on the network on behalf of another account.

Now it’s time to “tweak” the test bench a bit and enable unlimited delegation: we will give the privilege of unlimited delegation to BARSCOMP.

One of the stages of conducting Active Directory domain security testing is to search for accounts with delegation enabled, usually for this purpose use Powerview, but it is also possible manually using the standard ActiveDirectory module.

For this attack, I will use Printer bugwhich was described in detail by Lee Christensen of SpecterOps. Any authenticated user can remotely connect to the print server of the domain controller and request the update of new print jobs by telling him to send an account notification with unlimited delegation. Lee Christensen wrote an application Spoolsample, which makes a call to the CD print service using the MS-RPRN protocol.

On the computer from which the attack will be carried out (BARSCOMP.meow.local), it is necessary to run Rubeus in monitoring mode using “action” monitoring. This mode requires NT ATHORITY / SYSTEM privileges and listens for new TGT / TGS tickets in the lsass process. I will set the argument /interval:1 (in seconds) lsass polling interval for new tickets, and argument /filteruser:DC-16$ I’ll set the filter for displaying only DC-16 $ tickets.

Rubeus is running, in parallel in another session I launch SpoolSample.exe with arguments dc-16.meow.local (attacked car) and barscomp.meow.local (our “listening” host).

Let’s see what Rubeus “monitored”.

Caught TGT domain controller account ticket. Now you can, using the already known Pass-the-ticket attack, import a ticket and use mimikatz to conduct a DCSync attack to get the NTLM hash of the krbtgt account (and as you already know from the first part of the article, you can use the hash of this account to create Golden Ticket and full AD domain capture).

Please note that Rubeus understands tickets both in the form of a .kirbi file and in a base64 encoded string.

Constrained delegation

If an attacker was able to compromise a user account or a computer for which limited delegation is enabled, then he can impersonate any user in the domain and authenticate with the service to which delegation is allowed.

Create a new Backup domain user with the password B @ ckup1234, assign him the SPN for the cifs service on the domain controller.

Now you can set the ability for delegation of the ldap and cifs services on the DC-16.meow.local domain controller for this account.

Accounts that are allowed limited delegation can also be identified using Powerview or the ActiveDirectory module.

Knowing the password or NTLM hash of the meow.local Backup account, using Rubeus you can request a TGT ticket for it.

Now, using the “action” s4u in Rubeus, you can request TGS for a user who is allowed authentication on the cifs dc-16.meow.local service (for example, the ADadmin domain administrator).

Here I indicate the previously obtained backup account ticket; / impersonateuser – user whose rights I want to get; / domain – the domain in which everything happens; / msdsspn / asltservice – a service that needs TGS; / ptt – immediately import the received ticket into the current session.

Here’s what happens in Rubeus:

Here you can see that with limited delegation, 2 Kerberos extensions are included: these are S4U2self and S4U2proxy.

S4U2self allows service participants to request a special TGS with the FORWARDABLE flag to themselves on behalf of a specific user. This is necessary so that this ticket can later be used by the S4U2proxy extension.

S4U2proxy allows the caller to use this special ticket to request the user’s TGS for the service to which delegation is allowed (in this case cifs dc-16.meow.local). You can read more about this. here and here.

At this time, Rubeus already received the final ticket and imported it into the current session.

Check if we can see the C drive on the domain controller with the ticket we received.

Yes, everything went well.

This concludes the review of this tool, in general I liked it, nice and easy to use, with good functionality. I hope, and after reading these articles, you will take it into service.

Thank you for your attention, all good, do not be sick!


Leave a Reply