Terminology:
- KDC: Key Distribution Center - A network service on all Domain Controllers
- TGS: Ticket Granting Service - A function that issues service tickets
- TGT: Ticket Granting Ticket - A ticket used to request service tickets from the TGS
- ST: Service Ticket - For authenticating services
- SPN: Service Principal Name - The name of a service on the network
Kerberoasting will request a ST for a service that is tied to a user account. This ticket is likely to contain a human-generated password.
Every valid account inside the domain may request a ticket from the TGS to access a service and will be given a corresponding ST. The decision of whether and how this account can access the service is the responsibility of that service and not the TGS.
With valid credentials for an account and as such a valid TGT in hand, an attacker may request a ST for every SPN on the network.
The flow is as follows (involving the steps from the AS_REP roasting section):
- With a valid TGT a TGS_REQ request is sent to the TGS
- The TGS checks if the SPN is valid, opens the TGT and does some additional tests to it
- If everything is okay it generates a ST. Then it encrypts the ST with the service-account’s password hash and sends it back to the client as part of the TGS_REP response
- The client receives the response, extracts the ST and can forward it to the desired service to access it
The problem here lies in the fact, that the ST is encrypted with the password hash of the SPN’s account, and that by design everyone inside the domain may request a ticket for that service.
The attacker can intercept or extract the ticket from memory, and crack the hash offline.
Subsequent attacks can be performed even from non-domain-joined machines, as long as valid credentials for one user were obtained.