Kerberoast
Compromise Domain User, request TGS for service account. TGS is encrypted with hashed version of account's password. Offline cracking of service account passwords.
Kerberoast
Offline cracking of service account passwords. Pre-authentication should be enabled for that SPN.
Enumerate SPNs: The attacker enumerates accounts with SPNs, which are typically associated with service accounts.
Request Service Tickets: The attacker requests a service ticket (TGS) for these SPNs.
Extract Ticket: The requested TGS is encrypted with the service account's password hash.
Crack Password: The attacker extracts the TGS from memory or logs and uses offline brute force or dictionary attacks to crack the password hash.
Last updated