Kerberoasting

Retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting

You can retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique
The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in Kerberos theory.
To perfom this attack, you need an account on the domain
cme ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt
Cracking with hashcat 
hashcat -m13100 output.txt wordlist.txt
Example
Active machine is a good example to test Kerberoasting with CrackMapExec
https://www.hackthebox.eu/home/machines/profile/148
www.hackthebox.eu
Useful ressources:
Kerberos (II): How to attack Kerberos?
Tarlogic Security
Kerberoasting
Red Teaming Experiments
Kerberoasting
hackndo
​
​
​

LDAP protocol - Previous

Find domain SID

Next - LDAP protocol

Unconstrained delegation

Last modified 27d ago