Kerberos attack toolkit -pure python-Â
Arrange
pip3 arrange kerberoast
Prereqirements
Python 3.6 See prerequisites.txt
For the impatient
IMPORTANT: the accepted purpose url formats for LDAP and Kerberos are the following<ldap_connection_url>
: <protocol>+<auth-type>://<space><particular person>:<password>@<ip_or_hostname>/?<param1>=<value1>
<kerberos_connection_url>
: <protocol>+<auth-type>://<space><particular person>:<password>@<ip_or_hostname>/?<param1>=<value1>
Steps -with SSPI-: kerberoast auto <DC_ip>
Steps -SSPI now not used-:
- Seek for prone consumers by the use of LDAP
kerberoast ldap all <ldap_connection_url> -o ldapenum
- Use ASREP roast against consumers inside the
ldapenum_asrep_users.txt
reportkerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
- Use SPN roast against consumers inside the
ldapenum_spn_users.txt
reportkerberoast spnroast <kerberos_connection_url> -t ldapenum_spn_users.txt
- Crack SPN roast and ASPREP roast output with hashcat
Directions
ldap
This command staff is for enumerating almost definitely prone consumers by the use of LDAP.
Command building
    kerberoast ldap <selection> <ldap_connection_url> <possible choices>
Type
: It is helping 3 types of consumers to be enumerated
spn
Enumerates consumers withservicePrincipalName
feature set.asrep
Enumerates consumers withDONT_REQ_PREAUTH
flag set in their UAC feature.all
Startes the entire above mentioned enumerations.
ldap_connection_url
: Specifies the usercredential and the target server inside the msldap url construction (see be in agreement)
possible choices
:
    -o
: Output report base establish
brute
This command is to perform username enumeration thru brute-forcing the kerberos supplier with imaginable username candidates
Command building
    kerberoast brute <realm> <dc_ip> <targets> <possible choices>
realm
: The kerberos realm generally turns out like COMPANY.corp
dc_ip
: IP or hostname of the world controllertargets
: Path to the report which comprises the imaginable username candidatespossible choices
:
    -o
: Output report base establish
asreproast
This command is to perform ASREProast attack
Command building
    kerberoast asreproast <dc_ip> <possible choices>
dc_ip
: IP or hostname of the world controllerpossible choices
:
    -r
: Specifies the kerberos realm to be used. It overrides all other realm knowledge.
    -o
: Output report base establish
    -t
: Path to the report which comprises the usernames to perform the attack on
    -u
: Specifies the individual to perform the attack on. Construction is each <username>
or <username>@<realm>
then again inside the first case, the -r
selection should be used to specify the sector
spnroast
This command is to perform SPNroast (AKA kerberoast) attack.
Command building
    kerberoast spnroast <kerberos_connection_url> <possible choices>
kerberos_connection_url
: Specifies the usercredential and the target server inside the kerberos URL construction (see be in agreement)
possible choices
:
    -r
: Specifies the kerberos realm to be used. It overrides all other realm knowledge.
    -o
: Output report base establish
    -t
: Path to the report which comprises the usernames to perform the attack on
    -u
: Specifies the individual to perform the attack on. Construction is each <username>
or <username>@<realm>
then again inside the first case, the -r
selection should be used to specify the sector