search
Ctrlk
NetExec GithubNetexec Lab
githubEdit

Kerberoasting

Retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting

hashtag
Kerberoasting

You can retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in Kerberos theoryarrow-up-right.

circle-exclamation

To perfom this attack, you need an account on the domain, or an AS-REP roastable account

nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt

hashtag
Targeted Kerberoasting (--targeted-kerberoast)

As with typical user accounts, you cannot request service tickets (STs) for accounts that have no servicePrincipalName. Targeted Kerberoasting temporarily sets an SPN on the victim (cifs/<sAMAccountName>), requests a service ticket, writes it to your --kerberoasting file, and then removes the added SPN via LDAP.

circle-exclamation

You need LDAP write privileges on the servicePrincipalName of each targeted user (for example GenericAll on the user, WriteProperty on servicePrincipalName, etc).

nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt --targeted-kerberoast victim1 victim2
nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt --targeted-kerberoast users.list

  • --kerberoasting: file where ST hashes are appended (mandatory with this mode).

  • --targeted-kerberoast: one or more sAMAccountName values and/or paths to files listing them.

hashtag
Kerberoasting via AS-REP Roasting

You can also perform Kerberoasting by leveraging an AS-REP roastable account that does not require pre-authentication. This is possible by combining --no-preauth-targets and --kerberoasting.

nxc ldap 192.168.0.104 -u harry -p '' --no-preauth-targets kerberoastable.list --kerberoasting output.txt

  • -u: AS-REP roastable user (no pre-auth required).

  • --no-preauth-targets: Single user or file containing list of users to target with Kerberoasting.

hashtag
Cracking with hashcat

hashtag
Example

Active machine is a good example to test Kerberoasting with NetExec

LogoJoin The Best Hacking Community Worldwide | Hack The BoxHack The Boxchevron-right

hashtag
Useful ressources:

LogoKerberos (II): How to attack Kerberos?Tarlogic Securitychevron-right
LogoKerberoasting | Red Team Notesired.teamchevron-right
LogoKerberoastinghackndochevron-right
LogoNew Attack Paths? AS Requested Service Tickets - SemperisSemperischevron-right
PreviousFind Domain SIDNextFind Misconfigured Delegation

Last updated

Was this helpful?