🐕🦺Kerberoasting
Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments
In order to kerberoast, we can use several tools like:
Impacket’s GetUserSPNs.py from a non-domain joined Linux host.
A combination of the built-in setspn.exe Windows binary, PowerShell, and Mimikatz.
From Windows, utilizing tools such as PowerView, Rubeus, and other PowerShell scripts
It's good to know that we can perform this attack from plenty of positions in the network:
From a non-domain joined Linux host using valid domain user credentials.
From a domain-joined Linux host as root after retrieving the keytab file.
From a domain-joined Windows host authenticated as a domain user.
From a domain-joined Windows host with a shell in the context of a domain account.
As SYSTEM on a domain-joined Windows host.
From a non-domain joined Windows host using runas /netonly.
When we obtain a TGS ticket after this attack, we still need to crack the hash offline in order to get access to the account with valid credentials
Kerberoasting - from Linux
Listing SPN Accounts with GetUserSPNs.py
We can now pull all TGS tickets for offline processing using the -request
flag.
Requesting all TGS Tickets
Requesting a Single TGS ticket
We're going to try to pull user sqldev:
To go even quicker, we can redirect the TGS with the -outputfile
Cracking the Ticket Offline with Hashcat
Now we can attempt to crack the ticket offline using Hashcat hash mode 13100
.
Testing Authentication against a Domain Controller
With the clear text password, we can try to authenticate with the domain
Practical example
Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.
So we're using the user forend, we previously got his password so we can use that to find SAMService's password
We can even go further by outputting the result to a file:
Since the VM is outdated we take the hash on our local machine and fire up hashcat:
And find the password
And with simple enumeration of users we found the answer to the question:
What powerful local group on the Domain Controller is the SAPService user a member of?
Kerberoasting - from Windows
Kerberoasting - Semi Manual method
For this task we'll use a setspn binary to enumerate SPNs in the domain.
Last updated