Kerberoast attack toolkit -pure python
Install
pip3 install kerberoast
Prerequirements
Python 3.6 See requirements.txt
IMPORTANT: the accepted target url formats for LDAP and Kerberos are the following<ldap_connection_url>
: <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
<kerberos_connection_url>
: <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
Steps -with SSPI-: kerberoast auto <DC_ip>
Steps -SSPI not used-:
kerberoast ldap all <ldap_connection_url> -o ldapenum
ldapenum_asrep_users.txt
filekerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
ldapenum_spn_users.txt
filekerberoast spnroast <kerberos_connection_url> -t ldapenum_spn_users.txt
This command group is for enumerating potentially vulnerable users via LDAP.
kerberoast ldap <type> <ldap_connection_url> <options>
Type
: It supports three types of users to be enumerated
spn
Enumerates users with servicePrincipalName
attribute set.asrep
Enumerates users with DONT_REQ_PREAUTH
flag set in their UAC attribute.all
Startes all the above mentioned enumerations.ldap_connection_url
: Specifies the usercredential and the target server in the msldap url format (see help)
options
:
-o
: Output file base name
This command is to perform username enumeration by brute-forcing the kerberos service with possible username candidates
kerberoast brute <realm> <dc_ip> <targets> <options>
realm
: The kerberos realm usually looks like COMPANY.corp
dc_ip
: IP or hostname of the domain controllertargets
: Path to the file which contains the possible username candidatesoptions
:
-o
: Output file base name
This command is to perform ASREProast attack
kerberoast asreproast <dc_ip> <options>
dc_ip
: IP or hostname of the domain controlleroptions
:
-r
: Specifies the kerberos realm to be used. It overrides all other realm info.
-o
: Output file base name
-t
: Path to the file which contains the usernames to perform the attack on
-u
: Specifies the user to perform the attack on. Format is either <username>
or <username>@<realm>
but in the first case, the -r
option must be used to specify the realm
This command is to perform SPNroast (AKA kerberoast) attack.
kerberoast spnroast <kerberos_connection_url> <options>
kerberos_connection_url
: Specifies the usercredential and the target server in the kerberos URL format (see help)
options
:
-r
: Specifies the kerberos realm to be used. It overrides all other realm info.
-o
: Output file base name
-t
: Path to the file which contains the usernames to perform the attack on
-u
: Specifies the user to perform the attack on. Format is either <username>
or <username>@<realm>
but in the first case, the -r
option must be used to specify the realm
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…