Kerberoasting
PRACTICE ! PRACTICE ! PRACTICE !
Pre-requisite => link
Introduction to Kerbrute
Since the DC shows us the port 88 as open, and we got no clue regarding the valid users on that domain, though we have some list of usernames - Let's try to bruteforce them using kerbrute
What is Kerberoasting
When a compromised user requests for a TGT ( Ticket Granting Ticket ) to the KDC ( Key Distribution Center ) along with the compromised user's NTLM hash - The KDC sends the TGT ( Ticket Granting Ticket ) encrypted with the default krbtgt user's hash as the response :)
Now that there's an application server which can be of anything, for example as a SQLService - we now need to access that server but how?
Remember, every application server has a SPN ( Service Principal Name )
We now as the compromised user, have a valid TGT - we can now request the KDC for a Ticket Granting Service Ticket ( TGST ) with our valid TGT, inorder to access the SQLService. The KDC in return sends us the required TGST encrypted with the SQLServer's account hash
The KDC doesn't know that we have access to the SQLServer or not - This is where Kerberoasting starts !
Now that we've got the required TGST, we can authenticate with the SQLServer with our TGST and the SQLServer decrypts our TGST and gives us access :)
Now let's crack the the TGT which is encrypted with the krbtgt user's hash using hashcat
Mitigation Strategies
Never ever make your service accounts as Domain Admins
Always set a Password > 14 chars
We are abusing a Windows feature and not any Misconfigs :)
Last updated
