The goal of Kerberoasting is to obtain and crack a Kerberos service ticket (“TGS”) to obtain the service encryption key (used to encrypt all service tickets). With the service key, the attacker can create silver ticket.
Goal
Obtain and crack TGS/ST to obtain service secret key / password
krbtgt's password can sometimes also be cracked
If the Windows server lived long enough to have gone through an upgrade from Windows Server 2000 to Windows Server 2003, then the krbtgt account could be using a crackable password. WS2000 doesn’t have strong password requirements, whereas WS2003 (and above) automatically creates very strong passwords for krbtgt. However, the upgrade from WS2000-WS2003 doesn’t enforce regenerating krbtgt key.
Obtain TGS
We start by using KerberosRequestorSecurityToken
to request a service ticket:
- Optional: Use
klist
to list all currently cached Kerberos tickets for current user and confirm that there is a cached ST. - Also possible to use
GetUserSPNs.py
(part of impacket example scripts, see/usr/share/impacket
) to obtain TGS remotely.
After requesting a ticket, use mimikatz to dump the ticket:
Automate with
Invoke-Kerberoast.ps1
The above steps can be done in one step with
Invoke-Kerberoast.ps1
(enumerate all SPNs, request STs, and dump all cached tickets automatically)
Brute-force TGS for encryption key
Use kerberoast
package to bruteforce the ticket for the encryption key (service password):
NTLM/MD4 is disabled
In newer version of Python, NTLM/MD4 is disabled in hashlib by default. We need to use a workaround to make it work. First install
pycryptodome
package through pip, then patchntlmhash()
inkerberos.py
as follows:
Alternatives
Hashcat and john can also be used. (e.g.
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt -O
)
This doesn't always work!
Kerberoasting is infeasible if the target account is a managed / group managed service account, which has a 120-character long password.
What’s Next?
Lateral Movement
This attack compels lateral movement if the service account is a domain admin or a local administrator on any domain-joined machine.
Modifying the Service Ticket
By cracking the service password, the attacker can forge a service ticket into a silver ticket to obtain maximum privilege to the service principal.