Kerberoasting attack (linux)

REQUIREMENTS - Either domain user credentials or NTLM hash if using impacket, a shell in the context of a domain user, account such as SYSTEM, and IP of DC host. If we have this level of access, we can start.

Attacking with GetUserSPNs.py (get TGS ticket)

Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments. This attack targets Service Principal Names (SPN) accounts. SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running. Domain accounts are often used to run services to overcome the network authentication limitations of built-in accounts such as NT AUTHORITY\LOCAL SERVICE. Any domain user can request a Kerberos ticket for any service account in the same domain. This is also possible across forest trusts if authentication is permitted across the trust boundary. All you need to perform a Kerberoasting attack is an account's cleartext password (or NTLM hash), a shell in the context of a domain user account, or SYSTEM level access on a domain-joined host.

If you have svc_tgs cred, you can perform Kerberoasting attack and get admin hashes.

Python-Impacket (initial access)

impacket-GetUserSPNs -dc-ip <domain_ip> <domain>/username -request -outputfile tickets

• -request - Request all TGS tickets

• -request-user - Specific User

• After getting ticket, we can crack them offline

• Other tools

  • setspn.exe windows binary, powershell, mimikatz

  • Powerview, rubeus