Kerberoasting

PRACTICE ! PRACTICE ! PRACTICE !

Pre-requisite => link

Introduction to Kerbrute

Since the DC shows us the port 88 as open, and we got no clue regarding the valid users on that domain, though we have some list of usernames - Let's try to bruteforce them using kerbrute

$ ./kerbrute userenum -dc 10.10.10.100 -d spookysec.local users.txt

What is Kerberoasting

• When a compromised user requests for a TGT ( Ticket Granting Ticket ) to the KDC ( Key Distribution Center ) along with the compromised user's NTLM hash - The KDC sends the TGT ( Ticket Granting Ticket ) encrypted with the default krbtgt user's hash as the response :)

• Now that there's an application server which can be of anything, for example as a SQLService - we now need to access that server but how?

Remember, every application server has a SPN ( Service Principal Name )

• We now as the compromised user, have a valid TGT - we can now request the KDC for a Ticket Granting Service Ticket ( TGST ) with our valid TGT, inorder to access the SQLService. The KDC in return sends us the required TGST encrypted with the SQLServer's account hash

The KDC doesn't know that we have access to the SQLServer or not - This is where Kerberoasting starts !

• Now that we've got the required TGST, we can authenticate with the SQLServer with our TGST and the SQLServer decrypts our TGST and gives us access :)

$ impacket-GetUserSPNs MARVEL.local/fcastle:Password1 -dc-ip 192.168.169.139 -request

Now let's crack the the TGT which is encrypted with the krbtgt user's hash using hashcat

MYpassword123#

Mitigation Strategies

• Never ever make your service accounts as Domain Admins

• Always set a Password > 14 chars

• We are abusing a Windows feature and not any Misconfigs :)