Kerberoasting Overview

Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments

This attack targets Service Principal Names (SPN) accounts. SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running. Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\\LOCAL SERVICE. Any domain user can request a Kerberos ticket for any service account in the same domain. This is also possible across forest trusts if authentication is permitted across the trust boundary. All you need to perform a Kerberoasting attack is an account's cleartext password (or NTLM hash), a shell in the context of a domain user account, or SYSTEM level access on a domain-joined host.

Domain accounts running services are often local administrators, if not highly privileged domain accounts. Due to the distributed nature of systems, interacting services, and associated data transfers, service accounts may be granted administrator privileges on multiple servers across the enterprise. Many services require elevated privileges on various systems, so service accounts are often added to privileged groups, such as Domain Admins, either directly or via nested membership. Finding SPNs associated with highly privileged accounts in a Windows environment is very common. Retrieving a Kerberos ticket for an account with an SPN does not by itself allow you to execute commands in the context of this account. However, the ticket (TGS-REP) is encrypted with the service account’s NTLM hash, so the cleartext password can potentially be obtained by subjecting it to an offline brute-force attack with a tool such as Hashcat.

For an interesting look at the origin of this technique, check out the talk Tim Medin gave at Derbycon 2014, showcasing Kerberoasting to the world.

Kerberoasting - Performing the Attack

Depending on your position in a network, this attack can be performed in multiple ways:

• From a non-domain joined Linux host using valid domain user credentials.
• From a domain-joined Linux host as root after retrieving the keytab file.
• From a domain-joined Windows host authenticated as a domain user.
• From a domain-joined Windows host with a shell in the context of a domain account.
• As SYSTEM on a domain-joined Windows host.
• From a non-domain joined Windows host using runas /netonly.

Several tools can be utilized to perform the attack:

• Impacket’s GetUserSPNs.py from a non-domain joined Linux host.
• A combination of the built-in setspn.exe Windows binary, PowerShell, and Mimikatz.
• From Windows, utilizing tools such as PowerView, Rubeus, and other PowerShell scripts.

Kerberoasting lets you get a ticket to crack offline, but cracking it is slow and hard unless the password is weak.

Efficacy of the Attack