Kerberos - L1

What is Kerberoasting?
Kerberoasting is an attack that allows an attacker to extract Kerberos service tickets (TGS) from Active Directory (AD) and crack them offline to recover plaintext passwords of service accounts.
 Why is this attack dangerous?
●    It does not require admin privileges—any domain user can request Kerberos tickets.

●    Service accounts often have weak passwords and high privileges.

●    Since the attack is offline, it does not generate authentication failures in logs.

________________________________________
How Kerberoasting Works? (Step-by-Step)
Step 1: Attacker Gets a Valid Domain User Account
●    Any authenticated domain user can perform Kerberoasting.

●    The attacker does not need to be an admin.

Step 2: Request a Service Ticket (TGS) for a Service Account
●    The attacker queries Service Principal Names (SPNs) linked to service accounts.

●    SPNs are used by Kerberos to map services to user accounts.

Example Command to Find Service Accounts (PowerView)
Get-NetUser -SPN

Step 3: Extract Kerberos Tickets from Memory
●    The attacker requests a TGS ticket from the Domain Controller (DC).

●    The TGS ticket is encrypted with the NTLM hash of the service account’s password.

Example Command to Request TGS Tickets (Rubeus)
Rubeus.exe kerberoast /format:hashcat

Step 4: Crack the Ticket Offline to Reveal the Password
●    The attacker extracts the TGS hash and cracks it offline using hashcat or John the Ripper.

Example Hashcat Command (Cracking TGS Ticket)
hashcat -m 13100 <ticket_hash> rockyou.txt --force

Step 5: Use the Recovered Password for Privilege Escalation
●    If the service account has admin privileges, the attacker can move laterally or escalate privileges.

●    The attacker may perform Pass-the-Hash, DCSync, or Golden Ticket attacks.

________________________________________

Tools Used in Kerberoasting

________________________________________
Example Commands for Each Tool
 1. PowerView (Find SPNs for Kerberoasting)
Get-NetUser -SPN

Find service accounts with SPNs (targets for Kerberoasting).
________________________________________
 2. Rubeus (Request TGS Tickets)
Rubeus.exe kerberoast /format:hashcat

 Extracts service ticket hashes for offline cracking.
________________________________________
 3. Mimikatz (Dump Kerberos Tickets)
privilege::debug
sekurlsa::tickets /export

 Extracts Kerberos tickets from memory.
________________________________________
 4. Impacket (Python Script for SPN Enumeration)
python3 GetUserSPNs.py -request DOMAIN/USER:PASSWORD@DC_IP

 Lists all SPNs & requests their Kerberos tickets.
________________________________________
 5. Crack the Hash with Hashcat
hashcat -m 13100 <ticket_hash> rockyou.txt --force

Uses dictionary attacks to recover plaintext passwords.
________________________________________
 How to Detect & Prevent Kerberoasting?
 Detection (Blue Team)
●    Monitor Event ID 4769 (TGS requests with RC4 encryption).

●    Look for multiple TGS requests from a single user (suspicious activity).

●    Use Sysmon + SIEM tools to track unusual Kerberos activity.

 Prevention (Security Hardening)

•  Use strong, long passwords for service accounts (25+ characters).
•  Remove SPNs from high-privileged accounts (avoid linking them to Domain Admins).
•  Enable AES encryption for Kerberos (disables RC4, making attacks harder).
•  Monitor abnormal Kerberos ticket requests (detect mass SPN queries).

________________________________________
 Summary
●    Kerberoasting targets service accounts in AD to extract TGS tickets and crack passwords offline.

●    Attackers need only a valid domain user to launch this attack.

●    Defenses include strong passwords, AES encryption, and log monitoring.

Here are 15 one-word questions with their corresponding answers and hints based on the content about Kerberoasting Attack: