As a hacker, kerberoasting is one of your most powerful Active Directory attacks. It allows you to compromise service accounts and use them to perform lateral movement across the entire Active Directory environment. This can lead to a full domain takeover!
In this article, you will explore how to perform kerberoasting attacks and see why they are such powerful attacks. First, you will gain a firm understanding of how Kerberos authentication works in modern Active Directory environments and the inherent vulnerability that allows attackers to compromise account passwords. Then you will see how to perform kerberoasting using real-world hacking tools.
Put on your black hoodie, and let's get started roasting Kerberos!
Understanding Kerberos Authentication
Modern Windows Active Directory environments have adopted the Kerberos authentication protocol to provide secure access between client systems and network resources. Kerberos authentication relies on passing tickets between client systems, a Key Distribution Center (KDC), and network resources.
The KDC is usually the Active Directory environment’s Domain Controller (DC), and the network resources are servers that the client’s workstation needs to access for their job role.
How Kerberos Authentication Works
Kerberos authentication involves six main steps demonstrated in the diagram below:
- The user sends a request to the KDC asking for initial access to the Active Directory environment. As part of this request, the user asks for a Ticket Granting Ticket (TGT) that allows them access to network resources within the Active Directory environment.
- The KDC verifies the user’s identity and replies with an encrypted TGT and a session key. The TGT is encrypted using the KDC’s secret key.
- When the user wants to access a network resource, they send a request to the KDC asking for a service ticket, known as a Ticket Granting Service ticket (TGS), for the service (network resource) they want to access. In this request are the user’s TGT, their session key, and the Service Principal Name (SPN) of the service they want to access.
- The KDC verifies the user’s request by checking the authenticity of the TGT and if the user is authorized to access the requested service. If all checks are passed, the KDC replies with a TGS and the encrypted session key to the user.
- When a user wants to access a Kerberos-enabled service, they send the TGS to said service.
- The service will verify the TGS and allow the user to interact with the network resource.
Ticket Granting Ticket (TGT) verifies the user’s identity - who they are.
Ticket Granting Service ticket (TGS) verifies the user’s permissions - can they access this specific resource.
The Advantages of Kerberos Authentication
Kerberos is the successor of the legacy NTLM authentication that Microsoft previously used to secure Active Directory. Kerberos offers several key advantages as an authentication protocol for Active Directory environments:
- Single Sign-On (SSO) - Users can authenticate once to the KDC and obtain multiple service tickets to access the various resources they want to access.
- Strong Security - Kerberos uses strong encryption techniques that make it resistant to replay attacks and password theft (so long as a strong password is used).
- Mutual Authentication - Both the client and network resource verify each other’s identity during the authentication process to ensure both parties are legitimate and prevent MitM attacks.
- Scalability - Kerberos supports large-scale Active Directory environments with thousands of users and services. Its ticket-based authentication approach helps minimize network traffic and improve performance.
- Centralized Authentication - A central KDC means authentication can be performed at a single point for the entire Active Directory environment. This simplifies the administration and management overhead.
- Ticket Expiration and Renewal - Kerberos uses an expiration and renewal mechanism which limits the lifespan of tickets. This means that attackers cannot use compromised tickets indefinitely and have to re-authenticate regularly, reducing the impact of compromised tickets.
- Interoperability - Kerberos authentication can be used across various systems and platforms. This prevents compatibility issues in environments that use a variety of technologies.
Modern active directory environments still use NTLM authentication, but Kerberos is the preferred authentication protocol.
Understanding Kerberoasting
Despite the secure nature of Kerberos, there is an inherent vulnerability that exists in the authentication protocol that allows an attacker to extract the password hash of service accounts. Once an attacker has this hash, they can perform lateral movement and impersonate the compromised service account. They can do this by either:
- Cracking the hash and revealing the plaintext password of the service account.
- Using the hash to authenticate directly as the service account.
Kerberoasting is when the attacker steals the password hash of a service account and cracks this hash offline to reveal the plaintext password. It is a very dangerous attack because any authenticated user can perform kerberoasting and, if the service account uses a weak password, the attack will likely be successful.
A Kerberoasting attack follows these steps:
- The attacker impersonates a legitimate Active Directory user and authenticates to the KDC in the Active Directory environment. They then request a TGT from the KDC to access network resources. The KDC complies because the attacker is impersonating a legitimate user. This is the same as Steps 1 and 2 in the Kerberos authentication diagram above.
- The attacker identifies active service accounts in the Active Directory environment and collects a list of their associated SPNs. This is done through internal network reconnaissance.
- The attacker requests a service ticket (TGS) for a specific SPN associated with a service account from the KDC. The KDC will respond with an encrypted TGS that contains the service account’s password (used to decrypt the ticket). This is the same as Steps 3 and 4 in the Kerberos authentication diagram above.
- The attacker takes this ticket and cracks it offline (on their local machine) using a password cracking tool.
- Once the attacker cracks the password, they can use it to impersonate the service account and access any network resources it has permission to access.
To perform a Kerberoast attack, the following requirements need to be met:
- You must have access to an authenticated user in the Windows Active Directory environment you are attacking.
- You must know the targeted service account’s SPN.
- You need a tool that can extract Kerberos tickets from the machine you have access to.
- You need a password cracking tool.
- You must be able to crack the service account’s password hash to reveal their plaintext password. This can be difficult if the account uses a complicated password.
Trying to kerberoast all service accounts is bad operational security. The blue team will often create fake service accounts that are never used (honey pot accounts). When a TGS is requested, the Windows event 4769 - A Kerberos service ticket was requested
is generated. If this relates to a honey pot account, the defenders will know an attacker is trying to perform Kerberoasting. A better approach is to perform a targeted Kerberoast attack against specific accounts.
Now that you understand Kerberoasting and how it works let’s look at how to perform this attack in an Active Directory environment. If you want to practice these yourself, read How to Create a Virtual Hacking Lab: The Ultimate Hacker Setup. This article demonstrates how to create your own hacking lab.
Performing Kerberoasting
To perform Kerberoasting, you must first perform internal network reconnaissance to discover the service accounts you want to attack in the Active Directory environment.
The following executables, scripts, and commands require you to turn off Microsoft Windows Defender on the machine you are attacking. Evading Windows Defender is outside the scope of this article.
Discovering Service Accounts with PowerView
To discover service accounts, you can use the tool PowerView. This PowerShell tool is used to gain situational awareness in Windows Active Directory environments. You can run PowerView through the Metasploit Command and Control (C2) framework and its Meterpreter shell. This C2 framework comes pre-installed on Kali Linux, you can download the PowerView script from GitHub.
Once you have a Meterpreter session on a compromised target machine, you can run the command load powershell
to load Meterpreter’s PowerShell module. Now you can execute PowerShell commands on the compromised target machine.
To use PowerView commands and discover service accounts, you first need to import the PowerView PowerShell module with the command powershell_import </path/to/powerview-script.ps1>
You can now discover service accounts to target with the command Get-DomainUser -SPN
This command returns all Active Directory accounts with an SPN property. Scrolling through the results, you can see a service account related to the Microsoft SQL service. This is a good account to perform your Kerberoasting attack against.
Discovering Service Accounts with BloodHound
Another tool you can use to discover service accounts is BloodHound. This tool uses graph theory to reveal the misconfigurations within an Active Directory environment that an attacker can exploit.
To discover service accounts with BloodHound, you need to perform the following steps:
Step 1 - Collect Data
Collect a dataset of the Windows Active Directory environment you are attacking using the SharpHound data collector. ShapHound can be downloaded from GitHub. Use the command SharpHound.exe -c DcOnly
to save domain data in a .zip
file.
To drop into a command shell in Meterpreter and execute SharpHound, run the command shell
from in Meterpreter session.
Step 2 - Download and Import data to Bloodhound
Import the dataset you have collected into Bloodhound. First, download the data file using the Meterpreter command download <filename>.zip
.
Then in the Bloodhound GUI on your local machine, click the Upload Data button in the menu and select your ZIP file.
Step 3 - Search for Service Accounts
Perform data analysis on the dataset, looking for service accounts. This can be done by executing the search query MATCH (u:User {hasspn:true}) RETURN u
in the Raw Query section.
Once you have discovered the service accounts you want to attack, you can move on to performing Kerberoasting.
You can learn more about Metasploit, Bloodhound, and several other popular hacking tools in 25 Top Penetration Testing Tools for Kali Linux.
Performing Kerberoasting With GetUserSPNs.py
The GetUserSPN.py Python script is a tool that is part of the Impacket framework. It can be used to find SPNs related to service accounts, as well as to request service tickets (TGS) for these accounts and extract the password hash.
To use GetUserSPN.py to perform Kerberoasting, you need the following:
- To be on the same network as the domain controller you are requesting a TGS from. If you are not, you can use the Meterpreter session you previously created on the compromised Windows machine as a pivot point.
- The name of the Active Directory domain you are attacking and the username you want to authenticate as.
- Either the plaintext password or NTLM password hash of the user you want to authenticate as.
Once you meet these requirements, you can run the following command in Kali Linux to discover Kerberoast-able service accounts and retrieve the crackable TGS hash for those accounts:
impacket-GetUserSPNs '<domain>/<username>:<password>' -dc-ip <ip-of-domain-controller> -request
For example, to authenticate as the StationX-admin user
and return a list of vulnerable service accounts, you would run the command:
impacket-GetUserSPNs 'milkyway.local/StationX-admin:Password123!' -dc-ip 10.0.200.2 -request
Here you can see the Kerberoast-able mssql_svc
account is returned, along with the password hash, ready for you to crack!
Here the Impacket version of GetUserSPNs.py is used. This version comes default with Kali Linux.
Performing Kerberoasting With PowerView
PowerView is a set of PowerShell tools for exploiting Windows Active Directory environments. It can be used to discover service accounts, as previously shown, and to perform Kerberoasting.
To perform Kerberoasting with PowerView, you need the following:
- Authenticated access to the Active Directory domain you are attacking.
- The name of the service account you want to attack.
Once these requirements are met, you can load PowerView into your Meterpreter session the same way you as before:
Once again, run the command Get-DomaintUser -SPN
to return all users with an SPN property. These are you Kerberoast-able service accounts you want to target.
Now we can use the command Get-DomainSPNTicket
to request a TGS for the Kerberoast-able service account. Here you can request a ticket for the mssql_svc
account with the command
Get-DomainUser -SPN mssql_svc | Get-DomainSPNTicket
This command pipes the output of the Get-DomaintUser -SPN mssql_svc
command into the Get-DomainSPNTicket
command and returns a crackable TGS ticket. All you need to do now is copy this hash into your favorite password cracking tool!
If you want the hash in a specific format for cracking, you can use the -OutputFormat
option. For instance, if you are going to use hashcat to crack the password hash, you can use the command:
Get-DomaintUser -SPN mssql_svc | Get-DomainSPNTicket -OutputFormat hashcat
Performing Kerberoasting With Rubeus
Rebeus is a tool written in C# that can interact directly with the raw Kerberos protocol. This allows it to evade common detection mechanisms and makes it a good choice for red teams.
To perform Kerberoasting with Rebeus, you need the following:
- Authenticated access to the Active Directory domain you are attacking.
- The name of the service account you want to attack.
To use Rubeus, you must first upload it from your Kali Linux machine to the compromised Windows machine you are attacking. You can do this by downloading a pre-compiled version of Rebeus and running the command upload
in your Meterpreter session. Then run the command shell
to drop into a Windows command shell.
In the Windows command shell, you can run the Rubeus executable and specify the service account you want to attack:
/path/to/Rubeus.exe kerberoast /user:<serivce_account> /nowrap
For instance, if you wanted to target the vulnerable mssql_svc
account. You would run the following command in your Meterpreter session:
c:\windows\tasks\Rubeus.exe kerberoast /user:mssql_svc /nowrap
Here you have successfully obtained the crackable password hash for the mssql_svc account. Now, you need to use a cracking tool to find the plaintext password.
The /nowrap
option is used so that when you copy across the hash to your preferred cracking tool, the default formatting added by Rubeus will not cause an error.
Performing Kerberoasting With Invoke-Kerberoast
Invoke-Kerberoast is a malicious PowerShell script that is part of the defunct Empire framework. It automates the process of kerberoasting through PowerShell code that requests service tickets for kerberoast-able accounts and returns extracted ticket hashes.
To use perform a Kerberoast attack with Invoke-Kerberoast, the following requirements need to be satisfied:
- Authenticated access to the Active Directory domain you are attacking.
Invoke-Kerberoast is a PowerShell script. As such, you can load it into your Meterpreter session the same way you loaded the PowerView script:
Now you can execute the following command to use Invoke-Kerberoast to perform a Kerberoast attack:
powershell_execute "Invoke-Kerberoast"
This PowerShell script finds vulnerable accounts, requests a TGS for that account, and then returns the crackable hash. There is no need to specify the account you want to target. This saves you a step but is not great for operational security.
If you want the hash in a specific format for cracking, you can use the -OutputFormat
option. For instance, if you are going to use hashcat to crack the password hash, you can use the command:
Invoke-Kerberoast -OutputFormat hashcat
What to Do With the Hash
Once you have captured the hash of the user account, you can use this to perform lateral movement in the targeted Active Directory environment.
In the Kerberoast attack, this is done by cracking the password hash returned in the TGS ticket using a password cracking tool and using the plaintext password to impersonate that service account to access any network resources the account has permission to access.
To find out how to crack password hashes, take a look at these articles:
Conclusion
Kerberoasting is an incredibly powerful attack for hackers to have in their arsenal. It allows them to impersonate service accounts in Active Directory environments and grants them access to any network resources this account has permission to access. If the environment is poorly configured, this could lead to an entire domain being compromised!
To perform this attack, a hacker needs access to any authenticated Active Directory account and the SPN of the service account they want to attack. With these two pieces of information and a good password-cracking tool, they can wreak havoc on enterprises.
This article showcased a variety of tools you can use to perform Kerberoating, and it is recommended that you build your own Active Directory environment to try these tools out for yourself. Enjoy roasting Kerberos!
Interested in learning other attacks and the skills to become a penetration tester or red teamer? Read How to Become a Penetration Tester: The Ultimate Guide and take a look at these training courses: