Kerberoasting

We need valid credentials or access to a domain joined machine for this attack

Or We need a valid username on the domain and a SPN

Theory

When requesting the service ticket from the domain controller, no checks are performed to confirm whether the user has any permissions to access the service hosted by the SPN.

These checks are performed as a second step only when connecting to the service itself. This means that if we know the SPN we want to target, we can request a service ticket for it from the domain controller.

The service ticket is encrypted using the SPN's password hash. If we are able to request the ticket and decrypt it using brute force or guessing, we can use this information to crack the cleartext password of the service account. This technique is known as Kerberoasting.

Theory Recap

  • Find a SPN we want to attack

  • Request a TGS from the SPN

  • Extract the Service Password Hash from the TGS (which was used to encrypt it)

  • Crack the hash to get the service account password

Attack from domain-joined Windows

Similar to AS-REP roasting, we can use Rubeus.exe => https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Rubeus was able to extract the hash of a service:

We will use hashcat with the TGS-REP attack code to crack the hash:

Attack from Kali Linux

Like for AS-REP roasting this will require credentials:

Then we can crack the hash the same way with hashcat:

PreviousAS-REP RoastingNextSilver Ticket Forgery

Last updated