Kerberoasting is a post-exploitation attack technique in which an attacker extracts service account credentials from the Kerberos authentication system in a Windows Active Directory (AD) environment. The attacker can then attempt to crack the extracted credentials offline to gain unauthorized access to privileged accounts.<\/p>\n\n\n\n
Kerberos is a network authentication protocol that relies on ticket-based authentication. It consists of:<\/p>\n\n\n\n
For a successful Kerberoasting attack, the attacker needs:<\/p>\n\n\n\n
The attacker first identifies service accounts associated with SPNs by using tools like:<\/p>\n\n\n\n
setspn.exe -T domain -Q *\/*<\/code><\/li>\n\n\n\n- PowerShell scripts (e.g.,
Get-SPN<\/code> in PowerView)<\/li>\n\n\n\nRubeus.exe<\/code><\/li>\n<\/ul>\n\n\n\nStep 2: Request a Service Ticket (TGS)<\/strong><\/h5>\n\n\n\nUsing the kinit<\/code> command (on Linux) or PowerShell, the attacker requests a Ticket Granting Service (TGS) ticket for a service account.<\/p>\n\n\n\nExample:<\/p>\n\n\n\n
GetUserSPNs.py domain\/user:password -request
<\/code><\/pre>\n\n\n\nThe TGS is encrypted using the NTLM hash of the service account’s password.<\/p>\n\n\n\n
Step 3: Extract the Ticket from Memory<\/strong><\/h5>\n\n\n\nOnce the TGS is obtained, the attacker extracts the ticket from memory using:<\/p>\n\n\n\n
\n- Mimikatz:
sekurlsa::tickets<\/code><\/li>\n\n\n\n- Rubeus:
Rubeus.exe dump \/format:kirbi<\/code><\/li>\n\n\n\n- PowerShell scripts to read
klist<\/code> output<\/li>\n<\/ul>\n\n\n\nStep 4: Offline Brute-Force Cracking<\/strong><\/h5>\n\n\n\nSince the TGS is encrypted with the NTLM hash of the service account, the attacker can perform an offline brute-force attack using tools like:<\/p>\n\n\n\n
\n- Hashcat:
hashcat -m 13100 extracted_hash wordlist.txt<\/code><\/li>\n\n\n\n- John the Ripper:
john --format=krb5tgs --wordlist=wordlist.txt extracted_hash<\/code><\/li>\n<\/ul>\n\n\n\nIf the password is weak, it can be cracked, granting the attacker access to the service account.<\/p>\n\n\n\n
4. Impact of Kerberoasting<\/strong><\/h4>\n\n\n\n\n- Privilege escalation if the cracked account has elevated permissions.<\/li>\n\n\n\n
- Lateral movement within the network.<\/li>\n\n\n\n
- Potential domain compromise if a highly privileged account is cracked.<\/li>\n<\/ul>\n\n\n\n
5. Mitigation Strategies<\/strong><\/h4>\n\n\n\n\n- Use strong passwords for service accounts (long and complex).<\/li>\n\n\n\n
- Rotate service account passwords regularly.<\/li>\n\n\n\n
- Enforce Managed Service Accounts (MSAs) or Group Managed Service Accounts (gMSAs).<\/li>\n\n\n\n
- Implement monitoring and alerting for anomalous Kerberos ticket requests.<\/li>\n\n\n\n
- Disable RC4 encryption in Kerberos to make brute-force cracking harder.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Kerberoasting is a post-exploitation attack technique in which an attacker extracts service account credentials from the Kerberos authentication system in a Windows Active Directory (AD)… Kerberoasting – What is it?<\/span>Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-38","post","type-post","status-publish","format-standard","hentry","category-pentesting","category-red-team"],"_links":{"self":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/38","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38"}],"version-history":[{"count":5,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions"}],"predecessor-version":[{"id":128,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions\/128"}],"wp:attachment":[{"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}