Pablo Guides

# Kerberoast$ Pentest Course

## Section 1: Introduction to Kerberoast$

Welcome to the first section of our comprehensive pentest course on the Kali Linux tool, **Kerberoast$**. In this section, we will dive deep into the installation and configuration of the tool on Kali Linux, followed by a step-by-step guide on how to effectively use it in real-world scenarios. Detailed technical explanations will accompany code examples to enhance your learning experience.

### What is Kerberoast$?

Kerberoast is a post-exploitation tool that attacks the Kerberos authentication protocol, which is widely used in Windows environments. The goal of Kerberoasting is to extract service tickets (TGS) for services that run under service accounts and subsequently crack the passwords for those accounts offline. This technique is particularly effective against environments that use weak passwords for service accounts.

### 1.1 Installation and Configuration on Kali Linux

Installing Kerberoast on Kali Linux is straightforward as it is included in the default repositories. However, we will also ensure that we have the necessary dependencies and tools to effectively use it.

#### Step 1: Update Kali Linux

Before installation, it is important to update your Kali Linux system to ensure all existing packages are up to date. Open your terminal and run:

"`bash
sudo apt update && sudo apt upgrade -y
"`

#### Step 2: Install Kerberoast

To install Kerberoast, we can simply install the `impacket` package, which includes the tool. Run the following command:

"`bash
sudo apt install impacket-scripts -y
"`

This command installs a suite of Python scripts designed for penetration testing, including those for Kerberos operations.

#### Step 3: Install Additional Dependencies

In addition to `impacket`, ensure you have `hashcat` or `john the ripper` for cracking the extracted tickets. You can install these with the following commands:

"`bash
sudo apt install hashcat -y
sudo apt install john -y
"`

#### Step 4: Confirm Installation

To verify that Kerberoast is correctly installed, you can check for the existence of the `GetTGT.py` script, which is part of `impacket`. Run:

"`bash
ls /usr/share/doc/impacket/examples/
"`

You should see the `GetTGT.py` script listed.

### 1.2 Step-By-Step Usage of Kerberoast$

#### Step 1: Set Up Your Environment

To use Kerberoast, you need to be in a network environment where Kerberos is in use. This usually means you are on a domain-joined machine or have access to the server hosting the Active Directory (AD).

#### Step 2: Obtain a TGT (Ticket Granting Ticket)

To initiate the Kerberoast attack, you first need to authenticate to the domain and obtain a TGT. This is done using the `GetTGT.py` script.

"`bash
python3 /usr/share/doc/impacket/examples/GetTGT.py -user -password
"`

Replace ``, ``, and `` with your credentials. This will generate and save a TGT for your user.

#### Step 3: List the Service Principal Names (SPNs)

Once you have a TGT, use the `GetUserSPNs.py` script to list all the SPNs associated with the user. This is important as it helps identify which service accounts are targets for Kerberoasting.

"`bash
python3 /usr/share/doc/impacket/examples/GetUserSPNs.py -request -usersfile
"`

You can use a user list or a specific username.

#### Step 4: Extract TGS Tickets for Target Service Accounts

After identifying the SPNs, you can extract the TGS tickets for these service accounts. Use the `GetUserSPNs.py` script again in the following way:

"`bash
python3 /usr/share/doc/impacket/examples/GetUserSPNs.py /: -dc-ip -outputfile
"`

This will save the tickets to the specified output file.

#### Step 5: Crack the Tickets Offline

With the tickets extracted, the next step is to crack them to retrieve the plaintext passwords. You can use hashcat or John the Ripper for this purpose.

To use Hashcat, first convert the TGS file format using `impacket`:

"`bash
python3 /usr/share/doc/impacket/examples/tgsrepcrack.py
"`

### 1.3 Real-World Use Cases

Kerberoasting is commonly employed in engagements where the security posture of the Active Directory is being evaluated. Here are some real-world scenarios where Kerberoast has proven effective:

1. **Weak Passwords in Service Accounts**: Many organizations neglect to enforce strict password policies on service accounts. Pentesters can exploit this weakness to gain admin-level access to systems.

2. **Using Kerberoast as Part of a Larger Attack Strategy**: Kerberoasting can be combined with other attacks (like phishing or exploiting unpatched vulnerabilities) to escalate privileges within the network.

3. **Assessing Security Configurations in Active Directory**: Organizations can use Kerberoast to identify misconfigurations in their AD setup that may expose them to risks.

### 1.4 Detailed Technical Explanations

The technique behind Kerberoasting relies on exploiting the way Kerberos handles service tickets. Here’s a breakdown of the process:

– **Service Tickets (TGS)**: When a client requests access to a service, it sends a request to the Key Distribution Center (KDC). The KDC responds with a TGS, which is encrypted using the service account’s password.

– **Offline Cracking**: The attacker can obtain the encrypted TGS and use it to perform offline cracking, where they attempt to guess the password by trying various combinations until they find the correct one.

### 1.5 External Reference Links

For further reading and to deepen your understanding of Kerberoasting, refer to the following resources:

– [Mitre ATT&CK – Kerberoasting](https://attack.mitre.org/wiki/Technique/T1208)
– [Penetration Testing with Kali Linux](https://www.kali.org/docs/)
– [Impacket Documentation](https://github.com/SecureAuthCorp/impacket)

### Conclusion

In this section, we have covered the installation, configuration, and usage of the Kerberoast tool in Kali Linux. Understanding and leveraging this tool is crucial for any pentester looking to assess the security of an Active Directory environment. As we progress through the course, we will explore more advanced techniques and tools to further enhance your skills in the world of pentesting.

Made by pablo guides / pablo guides