Kerberoasting
Kerberoasting is a common attack in a Windows domain. Unlike AS-REP Roasting, the attacker must already be logged in with a normal domain user account. Once logged in, the attacker can request service tickets (TGS – Ticket Granting Service) for services in the domain. These tickets are encrypted using the service account’s password, which the attacker can extract and attempt to crack offline. If the password is weak, the attacker can gain higher privileges in the network.
SPN
Every service in a Domain Environment is associated with a service account. SPN Stands for Service Principal Name. A SPN is a unique identifier that maps a service to a Domain Account. Basically it tells kerberos : "which user owns which service"
Do All Service Accounts have SPNs associated with them?
No, Not all service accounts have SPNs associated with them. A service account is granted an SPN only if:
It uses kerberos for authentication
It is a custom service account and not a builtin one (like LocalSystem, NetworkService etc)
TGS ( Ticket Granting Service )
A Service Ticket is a kerberos authentication token that allows a user to access a specific service within the domain (such as SMB, HTTP)
A Service Ticket is issued by the TGS (Ticket Granting Service) which is a part of the KDC.
KDC ( Key DIstribution Centre )
KDC stands for Key Distribution Center and is a core part of Kerberos that runs on the Domain Controller; it is responsible for authenticating users and services and issuing Kerberos tickets, such as Ticket Granting Tickets (TGTs) and service tickets, allowing secure access to resources in a Windows domain.
Requesting for a service ticket
Any user with a Valid TGT can request a Service Ticket for a given SPN.
The request contains :
SPN of the service that the user wishes to access
Their TGT
If the request is valid, the TGS issues a service ticket which is encrypted with the NTLM hash of the service account associated with the provided SPN.
The service ticket can only be decrypted by the service account whose password hash was used to encrypt it
What is a TGT?
A TGT (Ticket Granting Ticket) is a kerberos authentication token that allows a user to prove their identity to the domain, without needing to enter their password everytime.
A TGT is issued by the KDC after successful auth to the KDC.
It allows users to request for Service tickets to access services.
Just like cookies of a website.
WORKFLOW :-
Kerberoasting = Request service tickets → extract encrypted hashes → crack weak service account passwords → gain higher privileges
SUMMARY :-
Kerberoasting is an attack in a Windows Active Directory domain where an attacker abuses Kerberos authentication to steal and crack service account passwords.
To perform Kerberoasting, the attacker must already be logged in as a normal domain user. After login, the user receives a TGT (Ticket Granting Ticket) from the KDC (Key Distribution Center), which runs on the Domain Controller.
In Active Directory, services run using service accounts. Each Kerberos-enabled service is identified by an SPN (Service Principal Name), which maps a service to its service account.
Using a valid TGT, any domain user can request a TGS (Ticket Granting Service / Service Ticket) for a specific SPN. The TGS is issued by the KDC and is encrypted using the password (NTLM hash) of the service account.
The attacker can extract this service ticket and perform offline password cracking. If the service account password is weak, it can be cracked successfully.
Since service accounts often have high privileges, cracking their password can allow the attacker to gain elevated access in the domain.
Last updated
Was this helpful?