Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

--kerberoast Improvement #126

Merged
merged 2 commits into from
Apr 2, 2024
Merged

--kerberoast Improvement #126

merged 2 commits into from
Apr 2, 2024

Conversation

Kahvi-0
Copy link
Contributor

@Kahvi-0 Kahvi-0 commented Nov 24, 2023

On a test where --kerberoast would not return a ticket for a user I knew was kerberoastable.

image

After some digging I changed the LDAP query in ldap.py to be just "(&(servicePrincipalName=*)(!(objectCategory=computer)))". This removes the check if the account is normal and not disabled and returned the ticket I was expecting.

image

Personally would still like to get tickets for users that are disabled/locked out in order to attempt to crack their password and see if the password is reused.

I also changed the error for "Bypassing disabled account {sAMAccountName}" to be highlight as I thought this is nice to have.

@NeffIsBack NeffIsBack added the enhancement New feature or request label Nov 24, 2023
@RedByte1337
Copy link

Maybe change the filter to exclude the krbtgt account then now, since that was covered previously by the disabled account filter.

@NeffIsBack
Copy link
Contributor

Another idea: What about we toggle if we want to include disabled accounts? Something like --kerberoast is per default "False" and you can include all disabled accounts with setting it to True (--kerberoasting True)

@mpgn
Copy link
Collaborator

mpgn commented Dec 10, 2023

By defaullt, the option require a path to send all the hash found to hashcat.

As to check if the account is active or locked, you can check the value of userAccountControl and add the info with the samaccountname, no need to convert into yet yet another option

@NeffIsBack
Copy link
Contributor

NeffIsBack commented Dec 10, 2023

Yeah okay makes sense👍🏼

@Kahvi-0
Copy link
Contributor Author

Kahvi-0 commented Dec 11, 2023

Just wanted to update after coming back around to this after sometime and playing around with it a bit more in my lab. This change does not include the ticket for disabled accounts, only adds locked accounts. However, the logging change will show the disabled accounts that are skipped. I tried my hand a bit to get this module to show the hashes for the disabled account but could not get to it for the bit I looked at it. Would like to return to this in the future.

@Marshall-Hallenbeck
Copy link
Collaborator

@Kahvi-0 Would you be able to take a look at this again and finish it up? We'd like to include it in the v1.2 release if you have time!

@Kahvi-0
Copy link
Contributor Author

Kahvi-0 commented Feb 28, 2024

@Marshall-Hallenbeck I have some time to circle around and take another look at this :)

@Kahvi-0
Copy link
Contributor Author

Kahvi-0 commented Feb 29, 2024

I was able to spend some more time digging into this and here is the overview of the change.

Right now the edit I made to kerberoasting will include locked out accounts and note disabled accounts to terminal that are also kerberoastable.
Although the account "svc_kerberoastable" was locked out, we can still request the TGT and will no longer be filtered out.
image

image

Now for the topic I was hoping to have better results: disabled accounts.

I do not believe (at least with testing in my lab) you can retrieve the ticket for these. Originally, I was under the impression there was some way to do this due to powershell tools such as powerview and invoke-kerberoast returning a ticket. However, upon a fresh look today it appears that when I was originally testing it might have been pulling from existing tickets in cache or something (Kerberos knowledge is not my strongest so this may not be 100% accurate).

When I ran these powershell tools today after a refresh of my lab I noticed that they would return a ticket for an enabled user that is kerberoastable as expected and then return the same ticket after an error for the disabled account.

Ticket for enabled user
image

"Ticket" for disabled user
image


Unless there is some other suggested changes to make, the small tweaks I made might be the best it can be at the moment and good to push :)

On a test where --kerberoast would not return a ticket for a user I knew was kerberoastable. After some digging I changed the LDAP query in ldap.py to be just "(&(servicePrincipalName=*)(!(objectCategory=computer)))". This removes the check for accounts locked out/inactive and this returned the ticket I was able to see with powerview. 

Personally would still like to get tickets for users that are disabled/locked out in order to attempt to crack their password and see if the password is reused. 

I also changed the error for Bypassing disabled account {sAMAccountName} to be highlight as I thought this is nice to have.

Signed-off-by: Kahvi-0xFF <46513413+Kahvi-0@users.noreply.github.com>
Copy link
Contributor

@NeffIsBack NeffIsBack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

image

@NeffIsBack
Copy link
Contributor

@Kahvi-0 thanks for the effort! Finally merging this one :)

@NeffIsBack NeffIsBack merged commit da7c507 into Pennyw0rth:main Apr 2, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants