6. 6
dir computer.domain.comC$
1. Here’s my TGT.
I want a service ticket for:
CIFS/computer.domain.com
2. Look up which (user or
computer$) account has the
CIFS/computer.domain.com
service principal name
(SPN) registered
3. Encrypt part of the service
ticket with the key of looked-
up account (computer$
here)
4. Target service decrypts
the service ticket w/ shared
computer$ key.
Target service decides
whether to allow access!
computer.domain.com
File
Share
CIFS/
domain.com
Domain Controller
Attacker
7. ▪ The target service and the domain controller have to
share some key so the service can decrypt the ticket
▪ For most SPNs, this is the computer$ account key/hash
□ Random characters/not crackable, 30 day change window L
▪ But if the SPN is registered for a user account, we now
have a piece of data that’s encrypted with their key
□ Requesting this and cracking offline == Kerberoasting ! 7
Kerberoasting 101:
Background
8. ▪ Service tickets (like TGTs) generally use either
AES256_CTS_HMAC_SHA1_96 (AES256) or
RC4_HMAC_MD5 (RC4/NTLM) keys for ticket encryption
▪ We really want RC4, since it’s orders of magnitude
faster to crack
8
Kerberoasting 101:
Key Encryption Types
9. ▪ ANY user can request ANY service ticket (by design!)
▪ No packets are sent to the service target unless we try
to use the requested ticket!
▪ Translation: if a user has a non-null
servicePrincipalName property, we can crack their
password offline
9
Kerberoasting 101:
Why Care
10. 10
Kerberoasting 101:
Using the Goods
▪ If a user account has an SPN registered, the user often:
□ has admin privileges on the machine specified in the SPN
□ and/or is other privileged domain groups
▪ Even if they don’t/aren’t, with the key cracked, we can
forge service tickets as ANY user to the specific SPN
11. External-In
-Need creds (pw/hash) of existing
domain account to first get a TGT
so service tickets can be requested
-More difficult over high latency C2
-But can granularly control all
aspects of the exchange (i.e. RC4)
Current Kerberoasting
Approaches
Domain-Joined Windows Host
-Don’t need credentials, just
execution in a domain user’s
context
-Easier over high latency C2
-Built-in request methods don’t let
you control aspects (like encryption
levels) of the exchange 11
12. ▪ The existing domain-joined Kerberoasting methods
involve using setspn.exe or .NET’s
KerberosRequestorSecurityToken class to request a
service ticket for a target SPN
▪ The tickets are then carved out of memory (Mimikatz) or
extracted using the GetRequest() method (PowerView)
12
Current Kerberoasting
Approaches
13. ▪ Modern (2008+ functional level) domains are supposed
to use AES keys by default for Kerberos
▪ So requesting a RC4 service ticket should result in
“encryption downgrade activity”
▪ But built-in request methods for user-backed SPNs
nearly always return RC4-encrypted service tickets 🤔
13
Sidenote:
Kerberoasting Defenses
15. msDS-
SupportedEncryptionTypes
▪ AD user/computer account property touched on by Jim
Shaver and Mitchell Hennigan in their DerbyCon 7.0
“Return From The Underworld” talk
▪ According to Microsoft’s [MS-ADA2], “The Key
Distribution Center (KDC) uses this information [msDS-
SupportedEncryptionTypes] while generating a service
ticket for this account.” 15
16. msDS-
SupportedEncryptionTypes
▪ According to MS-KILE 3.1.1.5 the default value for this
field is 0x1C (RC4 | AES128 | AES256 = 28) for Windows
7+ and Server 2008R2+
▪ However, this property is only set by default
on computer accounts (not user or trust accounts!)
□ If this property is not defined/set to 0, [MS-KILE] 3.3.5.7 says
default behavior is to use a value of 0x7 (RC4) 16
17. 17
However we can set user
accounts to explicitly support
AES 128/256 encryption
0x18 (AES128 | AES256 = 24)
19. Why Care?
▪ There doesn’t seem to be an easy way to disable
RC4_HMAC service ticket requests on user accounts,
meaning we can’t “stop” RC4 Kerberoasting
□ We can disable RC4 for the entire domain, but this also kills
RC4 TGTs, which isn’t feasible for most environments
▪ Setting AES support for user accounts at least gives us
the “encryption downgrade” detection 19
20. Downsides of Built-in
Ticket Request Methods
▪ .NET/setspn approaches request/cache dozens (or
hundreds) of service tickets on the attacker host
▪ .NET’s KerberosRequestorSecurityToken doesn’t let you
specify encryption levels (RC4 vs AES) for ticket
requests
□ Since we don’t have a proper TGT, we can’t hard specify RC4
like Impacket/Metasploit 20
21. Obtaining a User’s TGT:
The “tgtdeleg” Trick
▪ @gentilkiwi realized we can request an outgoing service
ticket request for a SPN on an unconstrained delegation
server (the domain controller)
▪ This results in a delegated TGT for the current user
being present in the AP-REQ in a way we can retrieve it
▪ Translation: we get a usable TGT for the current user!
21
22. Rubeus:
Building a Better Kerberoast
▪ Rubeus implements the structures needed for service
ticket requests/responses
▪ Rubeus also implements Kekeo’s tgtdeleg trick
▪ Combined, this allows us to:
a) avoid caching service tickets on the attacker-
controlled host
b) specify RC4 in the service ticket requests 22
27. Credits
Tim Medin for his groundbreaking Kerberoasting work
Benjamin Delpy for Mimikatz and Kekeo ♡
Alberto Solino for his Kerberoasting/sname/Impacket work
@fist0urs for his krb5tgs AES Hashcat work
Matan Hart for his PowerView Kerberoasting contributions
27