🔹 Kerberoasting Explained

Kerberoasting is an attack that exploits service accounts in Active Directory. Here’s how it works:

1. User Requests a TGT (Ticket-Granting Ticket)

   • When a user wants to access an application server, they request a TGT from the Key Distribution Center (KDC) (which runs on the Domain Controller).
   • To do this, the user sends their NTLM hash to the Domain Controller for authentication.
   • If valid, the Domain Controller responds with a TGT, which is encrypted using the krbtgt hash.
   • Any user with valid credentials (including an attacker) can request a TGT.

2. User Requests a TGS (Service Ticket)

   • The user then presents the TGT to the Domain Controller and requests a TGS (Ticket Granting Service ticket) for the specific application/service they want to access.
   • The Domain Controller responds with a TGS, which is encrypted using the service account’s NTLM hash.

3. Attacker Captures the Service Ticket

   • Normally, the user would use this TGS to authenticate with the application server.
   • However, in a Kerberoasting attack, an attacker with compromised credentials can also request TGS tickets for any service account in the domain.

4. Cracking the Service Account Hash

   • Since the TGS is encrypted using the service account’s NTLM hash, the attacker can extract it and attempt to crack the hash offline.
   • Once cracked, the attacker gains access to the service account credentials, which often have high privileges in the domain.

💡 Key Takeaway:

By obtaining a valid TGT, an attacker can repeatedly request TGS tickets, extract hashes, and attempt to crack them. The tool GetUserSPNs is commonly used to automate this process.

Steps

1. Get SPNs, Dump Hash

   impacket-GetUserSPNs <DOMAIN>/<username>:<password> -dc-ip <ip-of-DC> -request
   impacket-GetUserSPNs MARVEL.local/fcastle:Password1 -dc-ip 192.168.150.128 -request
   

   

   • If the LastLogon is <never>, it will most likely be a honeypot

2. Crack the hash

   hashcat -m 13100 krb.txt rockyou.txt
   

   

   

Mitigations

• Strong Passwords
• DON’T store password in the description of the Active Directory account
• Service account should not be running as Domain Admin
• Least Privilege