Targeted Kerberoasting
Kerberoasting is an attack that takes advantage of the way Service Principal Names are used in Active Directory for authentication. When a client requests a Kerberos TGS service ticket, it gets encrypted with the service account’s NTLM password hash. An attacker can obtain this ticket and perform offline password cracking to open it. If successful, the attacker can obtain the service account’s password.
When an attacker possesses an account with the ability to edit the servicePrincipalName
attribute of another user account in a domain, they can potentially make that account vulnerable to a Kerberoasting attack. By adding an SPN to the user account, the attacker can request a Kerberos TGS service ticket for that SPN and obtain it, encrypted with the user account's NTLM password hash. The attacker can then use offline password-cracking techniques to try to open the ticket and obtain the user account's password.
This is possible when the controlled account has GenericAll
, GenericWrite
, WriteProperty
, WriteSPN
or Validated-SPN
over the target.
Once we've identified an account with one of these ACLs we can use targetedKerberoast.py to perform the attack from a UNIX system
or Powershell from Windows
Last updated