search

Kerberoasting Attack Step by Step Guide

Kerberoasting is a post-exploitation attack used to extract service account credentials from a Windows Active Directory environment. Below are the steps involved in performing a Kerberoasting attack along with the necessary commands.

hashtag
1. Bypass PowerShell Execution Policy

Before running scripts, bypass PowerShell's execution policy:

powershell -ep bypass

hashtag
2. Import PowerView Module

Load PowerView, a tool for Active Directory enumeration:

. .\PowerView.ps1

hashtag
3. Identify Service Accounts with SPNs

Find user accounts with associated Service Principal Names (SPNs):

Get-NetUser | Where-Object {$_.servicePrincipalName} | fl

hashtag
4. Enumerate SPNs in the Domain

List all registered SPNs in the domain:

hashtag
5. Check for Existing Kerberos Tickets

To list the current Kerberos tickets in use:

hashtag
6. Request a Ticket Granting Service (TGS) Ticket

Request a Kerberos service ticket for a specific service account:

hashtag
7. Extract Kerberos Tickets using Mimikatz

Use Mimikatz to export the tickets for offline cracking:

hashtag
8. Crack the Extracted Ticket

hashtag
Using a Python Script

hashtag
Using Hashcat for Faster Cracking

  • -m 13100 specifies Kerberos 5 TGS-REP as the hash type.

hashtag
Conclusion

Kerberoasting is an effective attack to extract service account credentials. After obtaining the password, you can escalate privileges or move laterally within the network.

Defensive Measures:

  • Enforce strong passwords for service accounts.

  • Implement monitoring for abnormal Kerberos requests.

  • Limit service accounts’ privileges to minimize the impact of compromise.

Previous15. Kerberoasting - from WindowsNextKerberoasting Attack Step by Step Guide

Last updated