From b5ef8f89bb523a8270f9b512cfd15f60a856758c Mon Sep 17 00:00:00 2001 From: skelsec Date: Sat, 29 Sep 2018 20:51:11 +0200 Subject: [PATCH] update readme.txt --- README.md | 84 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 24e6654..3ce72ee 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,84 @@ # kerberoast -Kerberoast attack -pure python- +Kerberos attack toolkit -pure python- + +### Install +```pip3 install kerberoast``` + +#### Prereqirements +Python 3.6 +See requirements.txt + + +### For the impatient +IMPORTANT: the accepted formats are the following +`````` : ```/:@``` +``````: ```/:@``` + +If nt hash or AES key is used insted of plaintext password, you MUST indicate it with ```-n``` and ```-a``` respectively + +Steps: +1. Look for vulnerable users via LDAP +```kerberoast ldap all -o ldapenum``` +2. Use ASREP roast against users in the ```ldapenum_asrep_users.txt``` file +```kerberoast asreproast -t ldapenum_asrep_users.txt``` +3. Use SPN roast against users in the ```ldapenum_spn_users.txt``` file +```kerberoast spnroast -t ldapenum_spn_users.txt``` +4. Crack SPN roats output with hashcat +5. Crack ASREP roast results with hashcat See: [hashcat issue ](https://github.com/hashcat/hashcat/issues/1707) + +## Commands +### ldap +This command group is for enumerating potentially vulnerable users via LDAP. +#### Command structure +    ```kerberoast ldap ``` + +```Type```: It supports three types of users to be enumerated +1. ```spn``` Enumerates users with ```servicePrincipalName``` attribute set. +2. ```asrep``` Enumerates users with ```DONT_REQ_PREAUTH``` flag set in their UAC attribute. +3. ```all``` Startes all the above mentioned enumerations. + +```target```: Specifies the usercredential and the target server in the following format + +    ```/:@``` +If password is omitted, the script will promt for the password. + +```options```: +    ```-n```: Specifies if the password is in fact an NT hash +    ```-o```: Output file base name + +### brute +This command is to perform username enumeration by brute-forcing the kerberos service with possible username candidates +#### Command structure +    ```kerberoast brute ``` + +```realm```: The kerberos realm usually looks like ```COMPANY.corp``` +```dc_ip```: IP or hostname of the domain controller +```targets```: Path to the file which contains the possible username candidates +```options```: +    ```-o```: Output file base name + +### asreproast +This command is to perform ASREProast attack +#### Command structure +    ```kerberoast asreproast ``` + +```dc_ip```: IP or hostname of the domain controller +```options```: +    ```-r```: Specifies the kerberos realm to be used. It overrides all other realm info. +    ```-o```: Output file base name +    ```-t```: Path to the file which contains the usernames to perform the attack on +    ```-u```: Specifies the user to perform the attack on. Format is either `````` or ```/``` but in the first case, the ```-r``` option must be used to specify the realm + +## spnroast +This command is to perform SPNroast (AKA kerberoast) attack. +#### Command structure +    ```kerberoast spnroast ``` + +```logincreds```: Specifies the usercredential and the target server in the following format ```/:@``` +```options```: +    ```-r```: Specifies the kerberos realm to be used. It overrides all other realm info. +    ```-o```: Output file base name +    ```-t```: Path to the file which contains the usernames to perform the attack on +    ```-u```: Specifies the user to perform the attack on. Format is either `````` or ```/``` but in the first case, the ```-r``` option must be used to specify the realm +    ```-n```: Specifies if the password is in fact an NT hash +    ```-a```: Specifies if the password is in fact an AES key