^.^;

Kerberoasting

Request service tickets.
Crack offline.
Domain credentials are yours.
Target service accounts with weak passwords.

AdvancedPhase 2: Active DirectoryInteractive Dual Perspective

What is Kerberoasting?

Kerberoasting is an attack technique that exploits the Kerberos authentication protocol in Active Directory. Attackers request service tickets (TGS) for accounts with Service Principal Names (SPNs), then crack the encrypted tickets offline to recover plaintext passwords.

Attack Flow:

1
Enumerate SPNs:

Find service accounts with SPNs registered in Active Directory

2
Request TGS tickets:

Request service tickets encrypted with the service account's password hash

3
Extract tickets:

Export tickets from memory (no admin rights needed!)

4
Offline cracking:

Use Hashcat/John to crack the ticket and recover the password

Why Kerberoasting Works

  • No Admin Required: Any authenticated domain user can request service tickets
  • Weak Passwords: Service accounts often have weak, non-expiring passwords
  • Offline Attack: Cracking happens offline, no failed login attempts to detect
  • Elevated Privileges: Service accounts often have high privileges (Domain Admin, local admin)

Kerberoasting Tools

Enumeration & Extraction:

  • Rubeus: Request & extract Kerberos tickets (Windows)
  • Impacket GetUserSPNs: Python-based SPN enumeration
  • PowerView: PowerShell AD enumeration

Password Cracking:

  • Hashcat: GPU-accelerated cracking (mode 13100)
  • John the Ripper: CPU-based cracking
  • Wordlists: rockyou.txt, weakpass, custom dictionaries

Defense Strategies

Strong Passwords: 25+ character passwords for service accounts (use Group Managed Service Accounts)
gMSA: Use Group Managed Service Accounts with 128-character auto-rotated passwords
Least Privilege: Don't give service accounts Domain Admin rights
Monitor: Detect unusual TGS requests (4769 event ID spikes)
AES Encryption: Prefer AES over RC4 for Kerberos encryption

Example Commands

Rubeus (Request All SPN Tickets):
Rubeus.exe kerberoast /outfile:hashes.txt
Impacket GetUserSPNs:
GetUserSPNs.py domain.com/user:pass -dc-ip 10.0.0.1 -request
Hashcat Crack TGS:
hashcat -m 13100 hashes.txt rockyou.txt

Operation Silver Bell

Target: MSSQL_SVC // Objective: Kerberoast

C2_BEACON_ACTIVE
SYSTEM INITIALIZED...
CONNECTED TO: CORP.LOCAL [10.0.0.5]
SPN Target Acquisition
LOW VALUE
svc_sql_prod
MSSQLSvc/db01.corp.local:1433
LOCKED
HIGH VALUE
svc_iis_web
HTTP/web01.corp.local
LOCKED
MEDIUM VALUE
svc_backup
CIFS/fs01.corp.local
LOCKED
HASHCAT v6.2.6
GPU: NVIDIA RTX 4090 [LOAD: 0%]
Awaiting Target Hash
Terms of ServiceLicense AgreementPrivacy Policy
Copyright © 2025 JMFG. All rights reserved.