Kerberoasting
Continuing our exploration of Active Directory Pentesting, our current focus is on Kerberos attacks. Today, we will delve into a widely known and utilized attack name Kerberoasting
Last updated
Continuing our exploration of Active Directory Pentesting, our current focus is on Kerberos attacks. Today, we will delve into a widely known and utilized attack name Kerberoasting
Last updated
As we discussed earlier, once the user obtains the Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC), they can utilize it to request a Ticket Granting Service (TGS) for various services. Just like the TGT, which is encrypted with the user's password hash, the TGS is encrypted using the service account's password hash. By acquiring the TGS, we gain the opportunity to perform offline brute force attacks on the service account's password.
To be successful in a Kerberoasting attack, several conditions need to be met:
Service Accounts with SPNs: The target Active Directory environment must have service accounts with Service Principal Names (SPNs) set. These SPNs are associated with specific services running on servers within the domain.
Kerberos Pre-Authentication Disabled: The service accounts with SPNs should have Kerberos pre-authentication disabled. This allows an attacker to request a Ticket Granting Service (TGS) ticket without needing to provide a pre-authentication encrypted timestamp, making the attack feasible.
Ticket-Granting Ticket (TGT) Obtained: The attacker needs to have already obtained a valid Ticket-Granting Ticket (TGT) to request TGS tickets on behalf of service accounts. This can be achieved through various means, such as password spraying, credential theft, or other initial access techniques.
Offline Cracking Capability: After obtaining the TGS ticket for a service account, the attacker must have the capability to perform offline password cracking. This often involves using tools like Hashcat or John the Ripper to brute force or use dictionary attacks to crack the encrypted password hash within the TGS ticket.
Weak Passwords: The success of the Kerberoasting attack depends on the strength and complexity of the passwords used for service accounts. Weak or easily guessable passwords can significantly expedite the offline cracking process.
Detection Evasion: The attacker needs to take measures to avoid detection during the attack. This might involve using techniques to stay stealthy, such as conducting the attack during off-hours, Obfuscate common tools like rubeus.
There are various tools and techniques that can perform request TGS ticket and give us the encrypted cipher that we can use for offline cracking but to make this document and short we are only showing some but interested readers could explore other tools also.
Rubeus is a popular open-source tool used in Active Directory (AD) security assessments, particularly for Kerberos-related attacks. Rubeus can be use for other attacks but for this section we are using it for kerberoasting attack. Rubeus can be downloaded from its official github page Rubeus but you have to compile it yourself using the instructions given in the github page.
After successful compile you can upload the rubeus.exe binary to your targeted machine then use the following command to get TGS encrypted cipher.
The above command automatically checks for kerberoastable accounts SPN and then request TGS based on it and shows you the output.
After getting the similar output you can copy the hash and put that into a file i.e hash.txt and then use hashcat or johntheripper to crack it.
Note: Rubeus used when we have only shell on the target system without any credentials but if you have access using credentials we can use Impacket scripts to get the cipher remotely.
We have used impacket scripts for various attacks before but for Kerberoasting we can use the script name GetUserSPN.py with the following syntax.
Example
After getting the hashes again use hashcat or JohnTheRipper to crack the password.
