Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

function VulnAD-Kerberoasting Unsuccessful #14

Open
mbb5546 opened this issue Jul 25, 2022 · 3 comments
Open

function VulnAD-Kerberoasting Unsuccessful #14

mbb5546 opened this issue Jul 25, 2022 · 3 comments

Comments

@mbb5546
Copy link

mbb5546 commented Jul 25, 2022

Uploaded and Ran the script on my Windows Server 2019 Domain controller. I ran the script once I already had my domain created. After deleting the banner function the script ran fine but when I went to perform a Kerberoasting attack there were no accounts configured with SPN's.

I know I can do this manually which I plan to do, just wanted to open an issue for visibility incase anyone else noticed this
@mclkov
Copy link

mclkov commented Aug 31, 2022
edited
Loading

Hello, @mbb5546 ,

give a go this command (PowerView must be loaded prior to this):
get-adobject | Where-Object {$_.serviceprincipalname -ne $null -and $_.cn -ne "krbtgt"}

It worked for me, I found all 3 of them:
mssql_svc/mssqlserver[REMOVED]
exchange_svc/exserver[REMOVED]
http_svc/httpserver[REMOVED]

However, the issue I encountered was related to the cryptography.

All the tickets I tried to request were AES-encrypted, I couldn't request RC4 tickets at all.
I've tried both: Mimikatz (new-obj System.identity... then export in mimikatz) and Rubeus:
rubeus.exe kerberoast /spn:"exchange_svc/exserver[REMOVED]" /simple /rc4opsec
`[] Using 'tgtdeleg' to request a TGT for the current user
[] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else

[*] Target SPN : http_svc/httpserver.cs.org
$krb5tgs$18$USER$CS.ORG$`

I've already tried to use "usetgtdeleg" or "tgtdeleg" instead of "rc4opsec"; however, nothing worked :(

At some point I enabled all the encryption algos (RC4, AES128, AES256 etc), and yet - all the tickets were AES encrypted.
Only after I disabled all but "RC4" (in the Group Policy), I could request the desired $krb5tgs$23.
But it came at a price, I couldn't repeat the same with mimikatz and my AD-joined machine couldn't connect to the Domain Controller (where I initially ran vulnad.ps1) since then.

I'm still eager to find out if there's the "intended way" to Kerberoast Windows Server 2019.

Dear @WazeHell , please help :)

@mclkov
Copy link

mclkov commented Aug 31, 2022

PS: I found one more "vuln AD script" (BadBlood), but they create Users instead of Managed Service Accounts:
` $services = ("https","ftp","CIFS","kafka","MSSQL","POP3")
$computers = Get-ADComputer -Filter *
$users = Get-ADUser -Filter *

$i = 0
Do {
    $computer = $computers | Get-Random
    $user = $users | Get-Random
    $service = $services | get-Random
    $cn = $computer.Name
    $spn = "$service/$cn"
    
    Try { 
    	$user | Set-ADUser -ServicePrincipalNames @{Add=$spn} -ErrorAction Stop`

@dev-fortress
Copy link

Hi, I have the same problem as mbb5546, but the command "get-adobject | Where-Object {$.serviceprincipalname -ne $null -and $.cn -ne "krbtgt"}" doesn't resolve my problem, any idea for this?
Thanks in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mclkov @mbb5546 @dev-fortress