Security Notes
  • Whoami
  • Pentesting
    • WEP-Pen
      • Reconnaissance
      • Enumeration
      • OWSAP TOP 10
        • Injection
          • Cross Site Scripting
            • Cross Site Scripting
            • Exploitation
            • Protections
          • SQL Injection
            • SQL Injection Overview
          • NoSQL Injection
          • CRLF Injection
          • XML Injection
        • Broken Access Control
          • Path Traversal
          • Sensitive Cookie with Improper SameSite Attribute
          • Link Following
          • Incorrect Default Permissions
          • Information disclosure
          • CSRF
            • csrf checklist
          • 403 bypass
          • Exposure of WSDL File Containing Sensitive Information
          • bussiness logic checklist
          • 2FA bypass checklist
          • admin panal checklist
          • idor checklist
          • Authentication checklist
          • reset_password_checklist
          • ATO
        • Cryptographic Failures
          • Cryptographic Failure
          • Weak Encoding for Password
          • Improper Following of a Certificate's Chain of Trust
            • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
            • Transport Layer Security (TLS) and SSL **
          • Clear Text Transmission Of Sensitive Data
            • SSLStripping **
        • Insecure Design
        • Security Misconfiguration
          • CORS Miscofigration
          • Mail Server Misconfiguration
        • Vulnerable and Outdated Components
          • Using Components with Known Vulnerabilities
        • Identification and Authentication Failures
          • JWT Hacking
          • SAML Authentication bypass
        • Software and Data Integrity Failures
          • mass assignment
          • PostMessage Vulnerabilities
            • PostMessage Vulnerabilities
            • Blocking main page to steal postmessage
            • Bypassing SOP with Iframes - part 1
            • Bypassing SOP with Iframes - part 2
            • Steal postmessage modifying iframe location
        • Security Logging and Monitoring Failures
        • Server-Side Request Forgery (SSRF)
          • SSRF
      • Checklists
        • aem misconfiguration
        • exif_geo
        • xss
        • Session Management
        • Authorization
        • cookie
        • Django
        • Symfony
        • json
        • bypass rate limit
        • Rce
        • Register Page
      • eWPTXv2 Preparation
        • Encoding & Filtering
        • Evasion Basics
        • Cross-site scripting (XSS)
        • XSS Filter Evasion
        • Cross-site request forgery (CSRF
        • HTML5
      • API-Pen
        • API Discovry
        • Reverse Engineering API Documentation
        • Excessive Data Exposure
        • Vulnerability Scanning
        • API Authentication Attacks
          • Classic Authentication Attacks
          • API Token Attacks
        • API Authorization Attacks
          • Broken Object Level Authorization (BOLA)
          • Broken Function Level Authorization
        • Improper Assets Management
        • Mass Assignment
        • SSRF
        • Injection Attacks in API
        • Evasive Maneuvers
        • GraphQL Vulnerabilities
    • NET-Pen
      • Active Directory Pentesting
        • Active Directory Components
        • Initial Attack Vectors
          • LLMNR Poisoning
          • SMB Relay Attacks
          • IPv6 Attacks ( IPv6 DNS Takeover )
          • Printer Hacking
          • Methodology
          • Some Other Attacks
            • Zerologon (CVE-2020-1472)
            • PrintNightmare (CVE-2021-1675)
        • Post-Compromise Attacks
          • Pass Attacks
          • Kerberoasting Attack
          • Token Impersonation Attack
          • LNK File Attack
          • GPP / cPassword Attacks
          • Mimikatz
          • Methodology
        • We've Compromised the Domain
          • Dumping the NTDS.dit
          • Golden Ticket Attacks
          • Methodology
        • Case Study
        • Password Attacks
      • Attack Vectors by Port
        • FTP 21
        • SSH 22
        • Telnet 23 - 2323
        • SMTP 25
        • DNS 53
        • Kerberos 88
        • POP 110-995
        • RPC 111
        • Ident 113
        • NNTP 119
        • NetBIOS 137-138
        • SMB / Samba 135-139, 445
        • MSRPC 135
        • SNMP 161
        • LDAP 389,636
        • Modbus 502
        • OpenSSL 1337
        • Ms-SQL 1433
        • Oracle Listener 1521 1522 1529
        • NFS 2049
        • MySql 3306
        • RDP 3389
        • ADB Android Debug Bridge 5555
        • WinRM 5985 5986
        • VNC 5800 5900
        • Redis 6379
        • Unreal IRC 6667
        • Tomcat 8080
        • MongoDB 27017
        • http 80
      • Network basics
      • Information Gathering
      • Privilege Escalation
        • Windows Privilege Escalation
        • Linux Privilege Escalation
    • write-ups
      • How i found a Privilege Escalation via Impersonation Features feature
      • How I was able to discover ATO Via IDOR vulnerability
      • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  • How to do it?
  • Mitigations:
  • Shout outs:
  1. Pentesting
  2. NET-Pen
  3. Active Directory Pentesting
  4. Post-Compromise Attacks

Kerberoasting Attack

How Kerberoasting Works

  • In Active Directory (AD), service accounts are used to run specific services or applications, such as web servers or database systems.

  • These services are associated with a Service Principal Name (SPN), which uniquely identifies them.

  • Any authenticated AD user can request a Ticket Granting Service (TGS) ticket for any SPN in the domain.

  • The TGS is encrypted using the service account's NTLM hash (derived from its password).

  • Now the attacker requests a TGS for a service with a known SPN.

  • The TGS is then extracted from memory using tools like Rubeus or Impacket.

  • The attacker uses tools like Hashcat or John the Ripper to brute force or dictionary attack the TGS offline.

  • If successful, this reveals the service account's plaintext password.

How to do it?

1. Identify Service Principal Names (SPNs)

With valid admin or standard user credentials, you can use GetUserSPNs.py (from Impacket) to enumerate SPNs and request TGS tickets for those services.

GetUserSPNs.py -request -dc-ip <DC_IP> <domain\user>
  • -request: Requests TGS tickets for the identified SPNs.

  • <DC_IP>: IP address of the Domain Controller.

  • <domain\user>: The username and domain to authenticate with.

  • When you request TGS tickets, the tool will dump the tickets in a format that can be used for offline cracking.

  • The extracted TGS hashes are encrypted with the NTLM hash of the associated service account's password.

3. Crack the TGS Hash

  • Use Hashcat to brute-force the NTLM hash of the service account password offline.

  • The hash type for TGS tickets is 13100 in Hashcat.

hashcat -m 13100 <hash_file> <rockyou_wordlist>

Important note: If any of the above test gives a negative result, keep an eye on your Wireshark traffic. Mostly setting up static DHCP or DNS or Gateway IP address solves such issues. This is a very small thing to underestimate which will affect the pentest in a peculiar way.\

Mitigations:

  • If possible use group managed service accounts which have random, complex passwords (>100 characters) and are managed automatically by Active Directory

  • Ensure all service accounts (user accounts with Service Principal Names) have long, complex passwords greater than 25 characters, preferably 30 or more. This makes cracking these password far more difficult.

  • Service Accounts with elevated AD permissions should be the focus on ensuring they have long, complex passwords.

  • Ensure all Service Account passwords are changed regularly

Shout outs:

  • Cracking Kerberos TGS Tickets Using Kerberoast — Exploiting Kerberos to Compromise the Active Directory Domain

  • Attack Methods for Gaining Domain Admin Rights in Active Directory

  • Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting

  • Targeted Kerberoasting (Harmj0y)

  • Tim Medin’s DerbyCon “Attacking Microsoft Kerberos Kicking the Guard Dog of Hades” presentation in 2014 (slides & video).

PreviousPass AttacksNextToken Impersonation Attack

Last updated 6 months ago

TGS ticket dump from Attacker’s PC