Kerberoasting Attack - Post exploitation attack

Background — high-level explanation 

Kerberoasting is an offline password attack that targets service accounts in Active Directory that have Service Principal Names (SPNs). Any domain user can request a Kerberos service ticket (TGS) for a service account. The ticket is encrypted with a key derived from the service account’s password (or key material). An attacker can collect those encrypted tickets and attempt to crack them offline if successful, they recover the service account password and can use it to escalate. 

Objective

As a domain user, enumerate SPNs, request TGS (service) tickets from the DC, capture the encrypted TGS blobs for the SQL service account, perform offline analysis to assess password strength, and document mitigations.

Lab Environment

I used the same  Active Directory lab consisting of one Windows Server machine acting as the Domain Controller and two Windows 10 workstations. A dedicated SQL service account was created in Active Directory and assigned a Service Principal Name (SPN) for the SQL service. This account was later used as the target for the Kerberoasting attack.

Walkthrough

I ran GetUserSPNs.py from an authenticated domain user session. The script enumerated AD objects with SPNs and requested Kerberos service tickets (TGS) for each discovered SPN.


I saved the hash for offline cracking so i searched for the particular module on hashcat as seen below👇


After i got the module i  cracked the service account password as seen below 👇


Quick takeaway

This lab demonstrates why service accounts must not be domain-privileged and why service-account passwords must be strong or managed. If a service account with an SPN has weak credentials and also has Domain Admin (or other highly privileged) rights, cracking its TGS can immediately lead to full domain compromise. In short: SPNs + weak passwords + excessive privileges = catastrophic risk.

Mitigations & prioritized remediation

  1. Move service to gMSA or vault the password (preferred).

  2. Rotate the  service account password immediately if targeted or cracked (coordinate service restart if needed).

  3. Remove SPNs from user accounts; ensure SPNs are on dedicated service accounts only.

  4. Enforce strong unique passwords for service accounts if gMSA not possible.

  5. Disable RC4 / legacy Kerberos etypes on DCs and clients; enforce AES where supported.

  6. Least-privilege for service accounts — reduce  account scope to minimum required.

  7. Inventory SPNs and audit pwdLastSet to find stale or weak accounts.

  8. Retest in lab after fixes to verify attack does not succeed.

Comments

Post a Comment

Popular posts from this blog

Using Hydra to Brute-Force SSH And WI-Fi Login Portal

Image
  Welcome back again to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post, i'll demonstrate how to use Hydra , a powerful brute-forcing tool, to test login credentials on a SSH server and a WI-FI admin portal. This test was done on my own network and machine to show how attackers operate and how to protect against them. What is Hydra? Hydra is a powerful tool used by penetration testers to automate brute-force attacks on various protocols like SSH, FTP, HTTP, and more. In this blog, we’ll learn how to use Hydra to brute-force SSH logins and web-based login forms safely in a lab environment. 🔓 What is a Brute-Force Attack? A brute-force attack is a method use to gain unauthorized access to account and systems by trying co...
Read more

Discover AWS Organization ID Via S3 Bucket

Image
  Welcome to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post is about AWS pentesting using an assume breached scenario, where the target  organization provide you with low level credentials,command line interface credentials that you can connect to the AWS CLI (Command Line Interface) with.  Let The Hacking Begin!!!! we will be using platform called CYBR click on the url and create a free account and do this lab along side with me  https://cybr.com/hands-on-labs/lab/discover-aws-organization-id-via-s3-bucket/  this is how the interface looks like below 👇👇after creating  an account and starting the lab  once it's ready you are going to get an Access key ID and a Secret Access key. So now if you are n...
Read more

SMB Relay Attack in AD Lab (Step-by-Step)

Image
Welcome back again to my cybersecurity blog! I'm Basit Hassan, a Vulnerability Assessment and Penetration Tester passionate about ethical hacking. On this blog, I’ll be sharing tutorials, walkthroughs, and real-world exploitation techniques that I’ve personally tested all designed to help you get started and grow in the penetration testing field. Today’s post , I’ll demonstrate how I leveraged SMB Relay attacks in my Active Directory lab to understand how attackers exploit network misconfigurations and relay authentication requests. This simulation was done in my own isolated lab environment to show how these attacks work  and more importantly, how to secure your network against them.  What is an SMB Relay Attack? SMB Relay is a man-in-the-middle (MITM) attack technique where an attacker intercepts and relays authentication requests from one system to another, without cracking any password. Instead of capturing and brute-forcing hashes, SMB Relay forwards the authenticatio...
Read more