is a technique used in Active Directory (AD) environments to extract password hashes for accounts that use Kerberos authentication. Kerberos is the default authentication protocol used in AD environments, and it relies on a shared secret key between the client and the server for authentication.
Kerberoasting takes advantage of a weakness in the way that Kerberos works. When a user logs into an AD environment, their password is encrypted with a secret key and sent to the domain controller (DC) for verification. The DC then sends back a ticket-granting ticket (TGT) that the user can use to request access to resources on the network.
The weakness that Kerberoasting exploits is that some accounts in an AD environment have what is called a "service principal name" (SPN) associated with them. These SPNs are used to identify services that run under the context of a particular user account. When a user requests access to a service, the service needs to authenticate the user's request by contacting the DC and requesting a service ticket (ST). The ST is encrypted with the user's password hash, which the service can then use to authenticate the user's request.
TGS (ticket-granting service) ticket for an account with an associated SPN, but without actually providing the user's password. This request causes the AD server to send back an encrypted TGS ticket that contains the user's password hash. An attacker can then use a tool like "Mimikatz" to decrypt the TGS ticket and extract the password hash.
Once an attacker has the password hash for an account, they can use tools like "Hashcat" to crack it and obtain the user's plaintext password. This can give the attacker access to the user's account and the resources that the account has access to.
we have "getuserspn.py" tool
"getuserspn.py" is a Python script that can be used to enumerate service principal names (SPNs) associated with user accounts in an Active Directory (AD) environment
The script works by querying the AD server for user accounts that have SPNs associated with them and then displaying the results in a user-friendly format. It can be run from the command line and takes a number of arguments to customize the output.