The document discusses advanced techniques for kerberoasting, a method of offline password cracking in Windows environments, highlighting the mechanisms of service tickets and service principal names (SPNs). It details current approaches, such as using tools like Rubeus and Mimikatz, and addresses security considerations like encryption types and the challenges of mitigating kerberoasting risks. The presentation emphasizes the importance of understanding these techniques to improve security postures against potential exploitation.

1. Kerberoasting
Revisited
@harmj0y

2. # whoami
▪ Job: Technical Architect at SpecterOps
▪ Co-founder: Veil-Framework, Empire,
PowerView/PowerUp, BloodHound, GhostPack
▪ Cons: DerbyCon (since 4.0!), BlackHat, DEF CON
2

3. tl;dr
▪ Exactly how Kerberoasting works
▪ Kerberoasting Approaches
▪ msDS-SupportedEncryptionTypes
▪ Building a Better Kerberoast
▪ What’s Next
3

4. The Start… (DerbyCon 4.0!)
4
Thanks
@timmedin!

5. 5
WMI
computer.domain.com
PowerShell
Remoting
File Share
SQL
HOST/
HTTP/
HOST/
RPCSS/
CIFS/
MSSQLSvc/
dir computer.domain.comC$
1. Here’s my TGT.
I want a service ticket for:
CIFS/computer.domain.com
2. Service ticket
returned:
CIFS/computer.domain.com
3. Use service ticket:
CIFS/computer.domain.com
domain.com
Domain Controller
Attacker

6. 6
dir computer.domain.comC$
1. Here’s my TGT.
I want a service ticket for:
CIFS/computer.domain.com
2. Look up which (user or
computer$) account has the
CIFS/computer.domain.com
service principal name
(SPN) registered
3. Encrypt part of the service
ticket with the key of looked-
up account (computer$
here)
4. Target service decrypts
the service ticket w/ shared
computer$ key.
Target service decides
whether to allow access!
computer.domain.com
File
Share
CIFS/
domain.com
Domain Controller
Attacker

7. ▪ The target service and the domain controller have to
share some key so the service can decrypt the ticket
▪ For most SPNs, this is the computer$ account key/hash
□ Random characters/not crackable, 30 day change window L
▪ But if the SPN is registered for a user account, we now
have a piece of data that’s encrypted with their key
□ Requesting this and cracking offline == Kerberoasting ! 7
Kerberoasting 101:
Background

8. ▪ Service tickets (like TGTs) generally use either
AES256_CTS_HMAC_SHA1_96 (AES256) or
RC4_HMAC_MD5 (RC4/NTLM) keys for ticket encryption
▪ We really want RC4, since it’s orders of magnitude
faster to crack
8
Kerberoasting 101:
Key Encryption Types

9. ▪ ANY user can request ANY service ticket (by design!)
▪ No packets are sent to the service target unless we try
to use the requested ticket!
▪ Translation: if a user has a non-null
servicePrincipalName property, we can crack their
password offline
9
Kerberoasting 101:
Why Care

10. 10
Kerberoasting 101:
Using the Goods
▪ If a user account has an SPN registered, the user often:
□ has admin privileges on the machine specified in the SPN
□ and/or is other privileged domain groups
▪ Even if they don’t/aren’t, with the key cracked, we can
forge service tickets as ANY user to the specific SPN

11. External-In
-Need creds (pw/hash) of existing
domain account to first get a TGT
so service tickets can be requested
-More difficult over high latency C2
-But can granularly control all
aspects of the exchange (i.e. RC4)
Current Kerberoasting
Approaches
Domain-Joined Windows Host
-Don’t need credentials, just
execution in a domain user’s
context
-Easier over high latency C2
-Built-in request methods don’t let
you control aspects (like encryption
levels) of the exchange 11

12. ▪ The existing domain-joined Kerberoasting methods
involve using setspn.exe or .NET’s
KerberosRequestorSecurityToken class to request a
service ticket for a target SPN
▪ The tickets are then carved out of memory (Mimikatz) or
extracted using the GetRequest() method (PowerView)
12
Current Kerberoasting
Approaches

13. ▪ Modern (2008+ functional level) domains are supposed
to use AES keys by default for Kerberos
▪ So requesting a RC4 service ticket should result in
“encryption downgrade activity”
▪ But built-in request methods for user-backed SPNs
nearly always return RC4-encrypted service tickets 🤔
13
Sidenote:
Kerberoasting Defenses

14. 14

15. msDS-
SupportedEncryptionTypes
▪ AD user/computer account property touched on by Jim
Shaver and Mitchell Hennigan in their DerbyCon 7.0
“Return From The Underworld” talk
▪ According to Microsoft’s [MS-ADA2], “The Key
Distribution Center (KDC) uses this information [msDS-
SupportedEncryptionTypes] while generating a service
ticket for this account.” 15

16. msDS-
SupportedEncryptionTypes
▪ According to MS-KILE 3.1.1.5 the default value for this
field is 0x1C (RC4 | AES128 | AES256 = 28) for Windows
7+ and Server 2008R2+
▪ However, this property is only set by default
on computer accounts (not user or trust accounts!)
□ If this property is not defined/set to 0, [MS-KILE] 3.3.5.7 says
default behavior is to use a value of 0x7 (RC4) 16

17. 17
However we can set user
accounts to explicitly support
AES 128/256 encryption
0x18 (AES128 | AES256 = 24)

18. 18
But…
🤔

19. Why Care?
▪ There doesn’t seem to be an easy way to disable
RC4_HMAC service ticket requests on user accounts,
meaning we can’t “stop” RC4 Kerberoasting
□ We can disable RC4 for the entire domain, but this also kills
RC4 TGTs, which isn’t feasible for most environments
▪ Setting AES support for user accounts at least gives us
the “encryption downgrade” detection 19

20. Downsides of Built-in
Ticket Request Methods
▪ .NET/setspn approaches request/cache dozens (or
hundreds) of service tickets on the attacker host
▪ .NET’s KerberosRequestorSecurityToken doesn’t let you
specify encryption levels (RC4 vs AES) for ticket
requests
□ Since we don’t have a proper TGT, we can’t hard specify RC4
like Impacket/Metasploit 20

21. Obtaining a User’s TGT:
The “tgtdeleg” Trick
▪ @gentilkiwi realized we can request an outgoing service
ticket request for a SPN on an unconstrained delegation
server (the domain controller)
▪ This results in a delegated TGT for the current user
being present in the AP-REQ in a way we can retrieve it
▪ Translation: we get a usable TGT for the current user!
21

22. Rubeus:
Building a Better Kerberoast
▪ Rubeus implements the structures needed for service
ticket requests/responses
▪ Rubeus also implements Kekeo’s tgtdeleg trick
▪ Combined, this allows us to:
a) avoid caching service tickets on the attacker-
controlled host
b) specify RC4 in the service ticket requests 22

23. Rubeus:
Kerberoasting Opsec
23

24. Kerberoasting: What’s Next
24

25. One More Wrinkle…
25

26. Thanks!Any questions?
▪ @harmj0y
▪ will [at] harmj0y.net
Get Rubeus:
▪ https://github.com/GhostPack/Rubeus
26

27. Credits
Tim Medin for his groundbreaking Kerberoasting work
Benjamin Delpy for Mimikatz and Kekeo ♡
Alberto Solino for his Kerberoasting/sname/Impacket work
@fist0urs for his krb5tgs AES Hashcat work
Matan Hart for his PowerView Kerberoasting contributions
27