function VulnAD-Kerberoasting Unsuccessful

Question

function VulnAD-Kerberoasting Unsuccessful

mbb5546 opened this issue 2 years ago · 3 comments

Uploaded and Ran the script on my Windows Server 2019 Domain controller. I ran the script once I already had my domain created. After deleting the banner function the script ran fine but when I went to perform a Kerberoasting attack there were no accounts configured with SPN's.

I know I can do this manually which I plan to do, just wanted to open an issue for visibility incase anyone else noticed this

Answer 1 · 2022-08-31T18:11:42.000Z

Hello, @mbb5546 ,

give a go this command (PowerView must be loaded prior to this):
get-adobject | Where-Object {$_.serviceprincipalname -ne $null -and $_.cn -ne "krbtgt"}

It worked for me, I found all 3 of them:
mssql_svc/mssqlserver[REMOVED]
exchange_svc/exserver[REMOVED]
http_svc/httpserver[REMOVED]

However, the issue I encountered was related to the cryptography.

All the tickets I tried to request were AES-encrypted, I couldn't request RC4 tickets at all.
I've tried both: Mimikatz (new-obj System.identity... then export in mimikatz) and Rubeus:
rubeus.exe kerberoast /spn:"exchange_svc/exserver[REMOVED]" /simple /rc4opsec
`[] Using 'tgtdeleg' to request a TGT for the current user
[] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else

[*] Target SPN : http_svc/httpserver.cs.org
$krb5tgs$18$USER$CS.ORG$`

I've already tried to use "usetgtdeleg" or "tgtdeleg" instead of "rc4opsec"; however, nothing worked :(

At some point I enabled all the encryption algos (RC4, AES128, AES256 etc), and yet - all the tickets were AES encrypted.
Only after I disabled all but "RC4" (in the Group Policy), I could request the desired $krb5tgs$23.
But it came at a price, I couldn't repeat the same with mimikatz and my AD-joined machine couldn't connect to the Domain Controller (where I initially ran vulnad.ps1) since then.

I'm still eager to find out if there's the "intended way" to Kerberoast Windows Server 2019.

Dear @WazeHell , please help :)

Answer 2 · 2022-08-31T18:15:14.000Z

PS: I found one more "vuln AD script" (BadBlood), but they create Users instead of Managed Service Accounts:
` $services = ("https","ftp","CIFS","kafka","MSSQL","POP3")
$computers = Get-ADComputer -Filter *
$users = Get-ADUser -Filter *

$i = 0
Do {
    $computer = $computers | Get-Random
    $user = $users | Get-Random
    $service = $services | get-Random
    $cn = $computer.Name
    $spn = "$service/$cn"
    
    Try { 
    	$user | Set-ADUser -ServicePrincipalNames @{Add=$spn} -ErrorAction Stop`

Answer 3 · 2022-09-27T21:18:24.000Z

Hi, I have the same problem as mbb5546, but the command "get-adobject | Where-Object {$.serviceprincipalname -ne $null -and $.cn -ne "krbtgt"}" doesn't resolve my problem, any idea for this?
Thanks in advance