πŸ”±
πŸ”±
πŸ”±
πŸ”±
CrackMapExec ~ CME WIKI
Public Release - v5.3.0@byt3bl33d3r@mpgn_x64
Search…
Introduction
πŸ”₯
News 2022
Changelog
Sponsoring CME
Other Gitbook
Getting Started
Installation
Selecting & Using a Protocol
Target Formats
Using Credentials
Using Kerberos
Using Modules
Database General Usage
πŸ†•
BloodHound integration
Report bugs or new features
πŸ†•
Audit Mode
SMB protocol
πŸ†•
Scan for vulnerabilities
Enumeration
Password spraying
Authentication
Command execution
Spidering Shares
Get and Put files
Obtaining Credentials
πŸ†•
Defeating LAPS
πŸ†•
Spooler, WebDav running ?
LDAP protocol
Authentication
ASREPRoast
Kerberoasting
Unconstrained delegation
Admin Count
Machine Account Quota
Get user descriptions
πŸ†•
Exploit ESC8 (adcs)
WINRM protocol
Password spraying
Authentication
Command execution
πŸ†•
Defeating LAPS
MSSQL protocol
Password spraying
Authentication
MSSQL Privesc
MSSQL command
Windows command
SSH protocol
Password spraying
Authentication
Command execution
πŸ†•
RDP Protocol
Password spraying
Install aardwolf lib
Powered By GitBook
Kerberoasting
Retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting
You can retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique
The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in Kerberos theory.
To perfom this attack, you need an account on the domain
cme ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt

Cracking with hashcat

hashcat -m13100 output.txt wordlist.txt

Example

Active machine is a good example to test Kerberoasting with CrackMapExec
https://www.hackthebox.eu/home/machines/profile/148
www.hackthebox.eu

Useful ressources:

Kerberos (II): How to attack Kerberos?
Tarlogic Security
Kerberoasting
Red Teaming Experiments
Kerberoasting
hackndo
​
​
​
LDAP protocol - Previous
ASREPRoast
Next - LDAP protocol
Unconstrained delegation
Last modified 2yr ago
Copy link
Outline
Cracking with hashcat
Example
Useful ressources: