Kerberoast – Kerberoast Attack -Herbal Python-

Kerberos attack toolkit -pure python- 

Arrange

pip3 arrange kerberoast

Prereqirements

Python 3.6 See prerequisites.txt

For the impatient

IMPORTANT: the accepted purpose url formats for LDAP and Kerberos are the following
<ldap_connection_url> : <protocol>+<auth-type>://<space><particular person>:<password>@<ip_or_hostname>/?<param1>=<value1>
<kerberos_connection_url>: <protocol>+<auth-type>://<space><particular person>:<password>@<ip_or_hostname>/?<param1>=<value1>

Steps -with SSPI-: kerberoast auto <DC_ip>

Steps -SSPI now not used-:

1. Seek for prone consumers by the use of LDAP
   kerberoast ldap all <ldap_connection_url> -o ldapenum
2. Use ASREP roast against consumers inside the ldapenum_asrep_users.txt report
   kerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
3. Use SPN roast against consumers inside the ldapenum_spn_users.txt report
   kerberoast spnroast <kerberos_connection_url> -t ldapenum_spn_users.txt
4. Crack SPN roast and ASPREP roast output with hashcat

Directions

ldap

This command staff is for enumerating almost definitely prone consumers by the use of LDAP.

Command building

    kerberoast ldap <selection> <ldap_connection_url> <possible choices>

Type: It is helping 3 types of consumers to be enumerated

1. spn Enumerates consumers with servicePrincipalName feature set.
2. asrep Enumerates consumers with DONT_REQ_PREAUTH flag set in their UAC feature.
3. all Startes the entire above mentioned enumerations.

ldap_connection_url: Specifies the usercredential and the target server inside the msldap url construction (see be in agreement)

possible choices:
    -o: Output report base establish

brute

This command is to perform username enumeration thru brute-forcing the kerberos supplier with imaginable username candidates

Command building

    kerberoast brute <realm> <dc_ip> <targets> <possible choices>

realm: The kerberos realm generally turns out like COMPANY.corp
dc_ip: IP or hostname of the world controller
targets: Path to the report which comprises the imaginable username candidates
possible choices:
    -o: Output report base establish

asreproast

This command is to perform ASREProast attack

Command building

    kerberoast asreproast <dc_ip> <possible choices>

dc_ip: IP or hostname of the world controller
possible choices:
    -r: Specifies the kerberos realm to be used. It overrides all other realm knowledge.
    -o: Output report base establish
    -t: Path to the report which comprises the usernames to perform the attack on
    -u: Specifies the individual to perform the attack on. Construction is each <username> or <username>@<realm> then again inside the first case, the -r selection should be used to specify the sector

spnroast

This command is to perform SPNroast (AKA kerberoast) attack.

Command building

    kerberoast spnroast <kerberos_connection_url> <possible choices>

kerberos_connection_url: Specifies the usercredential and the target server inside the kerberos URL construction (see be in agreement)

possible choices:
    -r: Specifies the kerberos realm to be used. It overrides all other realm knowledge.
    -o: Output report base establish
    -t: Path to the report which comprises the usernames to perform the attack on
    -u: Specifies the individual to perform the attack on. Construction is each <username> or <username>@<realm> then again inside the first case, the -r selection should be used to specify the sector