Kali Linux

Kerberoast : Kerberoast Attack -Pure Python-

Kerberoast attack toolkit -pure python

Install

pip3 install kerberoast

Prerequirements

Python 3.6 See requirements.txt

For the impatient

IMPORTANT: the accepted target url formats for LDAP and Kerberos are the following
<ldap_connection_url> : <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
<kerberos_connection_url><protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>

Steps -with SSPI-: kerberoast auto <DC_ip>

Steps -SSPI not used-:

  • Look for vulnerable users via LDAP
    kerberoast ldap all <ldap_connection_url> -o ldapenum
  • Use ASREP roast against users in the ldapenum_asrep_users.txt file
    kerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
  • Use SPN roast against users in the ldapenum_spn_users.txt file
    kerberoast spnroast <kerberos_connection_url> -t ldapenum_spn_users.txt
  • Crack SPN roast and ASPREP roast output with hashcat

Commands

ldap

This command group is for enumerating potentially vulnerable users via LDAP.

Command structure

    kerberoast ldap <type> <ldap_connection_url> <options>

Type: It supports three types of users to be enumerated

  • spn Enumerates users with servicePrincipalName attribute set.
  • asrep Enumerates users with DONT_REQ_PREAUTH flag set in their UAC attribute.
  • all Startes all the above mentioned enumerations.

ldap_connection_url: Specifies the usercredential and the target server in the msldap url format (see help)

options:
    -o
: Output file base name

brute

This command is to perform username enumeration by brute-forcing the kerberos service with possible username candidates

Command structure

    kerberoast brute <realm> <dc_ip> <targets> <options>

realm: The kerberos realm usually looks like COMPANY.corp
dc_ip: IP or hostname of the domain controller
targets: Path to the file which contains the possible username candidates
options:
    -o: Output file base name

asreproast

This command is to perform ASREProast attack

Command structure

    kerberoast asreproast <dc_ip> <options>

dc_ip: IP or hostname of the domain controller
options:
    -r: Specifies the kerberos realm to be used. It overrides all other realm info.
    -o: Output file base name
    -t: Path to the file which contains the usernames to perform the attack on
    -u: Specifies the user to perform the attack on. Format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm

spnroast

This command is to perform SPNroast (AKA kerberoast) attack.

Command structure

    kerberoast spnroast <kerberos_connection_url> <options>

kerberos_connection_url: Specifies the usercredential and the target server in the kerberos URL format (see help)

options:
    -r: Specifies the kerberos realm to be used. It overrides all other realm info.
    -o: Output file base name
    -t: Path to the file which contains the usernames to perform the attack on
    -u: Specifies the user to perform the attack on. Format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

11 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

11 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago