Kerberoasting

Kerberoasting is where a service ticket is used to brute force a service password. This password can then be used to either move laterally or (if the service runs with elevated privileges) to elevate your privileges. Note that not every account is kerberoastable; the Kali Linux tool bloodhound can be used to identify potentially kerberoastable accounts.

Impacket

Kerberoasting with Impacket

Impacket can identify kerberoastable accounts and dump packets remotely. It comes standard with Kali Linux.

GetUserSPNs.py ${DOMAIN}/${USER}:${PASSWORD} \
	-dc-ip $DOMAIN_CONTROLLER_IP -request

The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).

Link to original

Rubeus

Kerberoasting with Rubeus

# Extract password hashes for all known kerberoastable accounts using
# Rubeus.
#
Rubeus.exe kerberoast

The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).

Link to original

Invoke-Kerberoast

The Invoke-Kerberoast PowerShell module can be used to create a dump of service tickets that can then be attacked offline using Hashcat or John the Ripper. (Note that calling Out-File with the -Width 8000 option is important in the below example, as otherwise the ticket can be truncated!)

Invoke-Kerberoast -OutputFormat Hashcat |
	Select-Object Hash |
	Out-File -filepath "$FILE_PATH" -Width 8000

Defenses

The main defenses against kerberoasting are (1) strong passwords and (2) making sure you’re not running any services as domain admin (which you shouldn’t need to do in this day and age anyway).