• Stars
    star
    280
  • Rank 147,492 (Top 3 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kerberoast with ACL abuse capabilities

targetedKerberoast

targetedKerberoast is a Python script that can, like many others (e.g. GetUserSPNs.py), print "kerberoast" hashes for user accounts that have a SPN set. This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting. This tool can be used against all users of a domain, or supplied in a list, or one user supplied in the CLI.

More information about this attack

Usage

This tool supports the following authentications

Among other things, targetedKerberoast supports multi-level verbosity, just append -v, -vv, ... to the command :)

usage: targetedKerberoast.py [-h] [-v] [-q] [-D TARGET_DOMAIN] [-U USERS_FILE] [--request-user username] [-o OUTPUT_FILE] [--use-ldaps] [--only-abuse] [--no-abuse] [--dc-ip ip address] [-d DOMAIN] [-u USER]
                             [-k] [--no-pass | -p PASSWORD | -H [LMHASH:]NTHASH | --aes-key hex key]

Queries target domain for SPNs that are running under a user account and operate targeted Kerberoasting

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         verbosity level (-v for verbose, -vv for debug)
  -q, --quiet           show no information at all
  -D TARGET_DOMAIN, --target-domain TARGET_DOMAIN
                        Domain to query/request if different than the domain of the user. Allows for Kerberoasting across trusts.
  -U USERS_FILE, --users-file USERS_FILE
                        File with user per line to test
  --request-user username
                        Requests TGS for the SPN associated to the user specified (just the username, no domain needed)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        Output filename to write ciphers in JtR/hashcat format
  --use-ldaps           Use LDAPS instead of LDAP
  --only-abuse          Ignore accounts that already have an SPN and focus on targeted Kerberoasting
  --no-abuse            Don't attempt targeted Kerberoasting

authentication & connection:
  --dc-ip ip address    IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
  -d DOMAIN, --domain DOMAIN
                        (FQDN) domain to authenticate to
  -u USER, --user USER  user to authenticate with

secrets:
  -k, --kerberos        Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the
                        command line
  --no-pass             don't ask for password (useful for -k)
  -p PASSWORD, --password PASSWORD
                        password to authenticate with
  -H [LMHASH:]NTHASH, --hashes [LMHASH:]NTHASH
                        NT/LM hashes, format is LMhash:NThash
  --aes-key hex key     AES key to use for Kerberos Authentication (128 or 256 bits)

Below is an example what the tool can do.

Credits and references

Credits to the whole team behind Impacket and its contributors.

More Repositories

1

The-Hacker-Recipes

This project is aimed at freely providing technical guides on various hacking topics: Active Directory services, web services, servers, intelligence gathering, physical intrusion, phishing, mobile apps, iot, social engineering, etc.
587
star
2

pywhisker

Python version of the C# tool for "Shadow Credentials" attacks
Python
548
star
3

Exegol

Exegol is a fully featured and community-driven hacking environment
Shell
468
star
4

shellerator

Simple CLI tool for the generation of bind and reverse shells in multiple languages
Python
344
star
5

smartbrute

Password spraying and bruteforcing tool for Active Directory Domain Services
Python
316
star
6

ShadowCoerce

MS-FSRVP coercion abuse PoC
Python
260
star
7

The-Hacker-Tools

This project is aimed at freely providing technical guides on various hacking tools.
75
star
8

telegram-bot-cli

This is a command line tool I use when I want to get notified, on Telegram (on my phone), that something has finished running (on my laptop).
Python
58
star
9

httpmethods

HTTP verb tampering & methods enumeration
Python
50
star
10

uberfile

Simple CLI tool for the generation of downloader oneliners for UNIX-like or Windows systems
Python
35
star
11

hashonymize

Anonymize your hashcat formatted files for online cracking
Python
26
star
12

Get-GPPPassword

Python script for extracting and decrypting Group Policy Preferences passwords
Python
19
star
13

CVE-2020-7961

Exploit script for CVE-2020-7961
Python
18
star
14

google-colab-hashcat

Jupyter Notebook
14
star
15

Exegol-images

Docker images of the Exegol project
Shell
1
star
16

CrackMapExec-MachineAccountQuota

CrackMapExec module that retrieves the "MachineAccountQuota" domain-level attribute.
Python
1
star