Kerberoasting is an attack that exploits the ServicePrincipalName AD Attribute to request TGS tickets for user accounts. These tickets are encrypted with keys from user passwords, and can be cracked offline.
π Discovery
Requirements:
Any valid domain account
A user with a ServicePrincipalName that is not null
Windows enumeration:
Linux enumeration:
π Exploitation
Windows:
Linux:
If you encounter a Kerberos clock skew error, try this fix.
π― Targeted Kerberoast
Targeted Kerberoasting can be carried out to obtain the password of a specific user. If an object has elevated permissions over the target, an attacker can add an SPN to that account making it Kerberoastable.
π Discovery
Requirements:
Any valid domain account
One of the following permissions over the target
GenericAll
GenericWrite
WriteProperty
Validated-SPN
Use Bloodhound to easily find users that are susceptible to this attack.
π Exploitation
Authenticate as the user with one of the required permissions.