🧢Crack SQL Server's password with Kerberoasting
We can see that The svcadmin, which is a domain administrator has a SPN set, we can kerberoast it
SPN (Service Principal Name): An SPN is a unique identifier for a service instance. It is used in Kerberos authentication to associate a service instance with a service logon account. When a service account like
svcadmin
has an SPN set, it means this account is registered to run a particular service.Kerberoasting: This is an attack technique used in Windows environments where an attacker requests a Kerberos service ticket for a service account (which has an SPN set). The ticket is encrypted with the service account's password hash. The attacker can then extract this ticket and attempt to crack the password hash offline. If the password is weak or guessable, the attacker can obtain the service account's password, potentially leading to further compromise of the domain.
Steps Involved in Kerberoasting
Identify Accounts with SPNs: Use tools like
GetUserSPNs.py
from the Impacket suite, or PowerShell commands to list accounts with SPNs.Request Kerberos Ticket: Use a tool like
Request-SPNTicket
in PowerShell orGetUserSPNs.py
to request a service ticket for the identified account.Extract the Ticket: Extract the service ticket from memory or the ticket cache.
Crack the Ticket: Use tools like
Hashcat
orJohn the Ripper
to crack the password hash contained in the service ticket.
Let's start by using argsplit to encode "kerberoast" and launch this command ->
and if we go and see the hashes file ->
but before launching john the ripper, we need to remove the 1433 part in the txt file ->
Then we can launch john:
Last updated