🖊️Author: Nairuz Abulhul

🌐 Blog: R3dbuck3t

Table of Contents

Kerberoasting Overview

<aside> 💡 Kerberoasting is an attack that abuses the Kerberos protocol to harvest password hashes for Active Directory user accounts with Service Principal Name (SPN) values — i.e., service accounts.

• Kerberoasting is NOT a flaw with the Kerberos authentication; the flaw is with administrators not assigning complex passwords to service accounts.
• Kerberoasting is a post-exploitation attack that means an attacker must have a foothold in the network by compromising a domain user account.
• Kerberoasting aims to get account hashes that are tried to services (SPNs) to crack the hashes offline and obtain a cleartext password, which can be used for lateral movements.
• When performing Kerberoasting, start the “attack” by getting all the SPNs tied to user accounts and then use them to request TGS tickets (Service Tickets). Avoid getting TGS hashes for computer accounts because computer accounts have long and complex passwords that are hard to crack.
• The ticket is encrypted with RC4 and NTLM hash of the service account. </aside>

Pre-requisites

• A domain user authenticated to a domain-joined machine.
• A valid Service Principal Name (SPN).

<aside> 💡 No local admin privileges are needed for this attack.

</aside>

⚒️Tools

• Invoke-Mimikatz
• PowerView
• Impacket
• Invoke-Kerberoast
• AD Module

<aside> 💡 Import Microsoft Active Directory Management DLL

• PowerShell Active Directory module *ActiveDirectory.psd1 — samratashok GitHub repo*
• ActiveDirectory.Format.ps1xml file — samratashok GitHub repo </aside>

🔥 Attack Steps

1. Identify Service Principal Names associated with users’ objects.