kerberoast: Kerberos attack toolkit in Python
kerberoast
Kerberos attack toolkit -pure python-
Install
pip3 install kerberoast
Use
For the impatient
IMPORTANT: the accepted target url formats for LDAP and Kerberos are the following
<ldap_connection_url> : <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
<kerberos_connection_url>: <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
Steps -with SSPI-: kerberoast auto <DC_ip>
Steps -SSPI not used-:
- Look for vulnerable users via LDAP
kerberoast ldap all <ldap_connection_url> -o ldapenum - Use ASREP roast against users in the ldapenum_asrep_users.txt file
kerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt - Use SPN roast against users in the ldapenum_spn_users.txt file
kerberoast spnroast <kerberos_connection_url> -t ldapenum_spn_users.txt - Crack SPN roast and ASPREP roast output with hashcat
Commands
ldap
This command group is for enumerating potentially vulnerable users via LDAP.
Command structure
kerberoast ldap <type> <ldap_connection_url> <options>
Type: It supports three types of users to be enumerated
- spn Enumerates users with the servicePrincipalName attribute set.
- asrep Enumerates users with the DONT_REQ_PREAUTH flag set in their UAC attribute.
- all Startes all the above-mentioned enumerations.
ldap_connection_url: Specifies the usercredential and the target server in the msldap url format (see help)
options:
-o: Output file base name
brute
This command is to perform username enumeration by brute-forcing the Kerberos service with possible username candidates
Command structure
kerberoast brute <realm> <dc_ip> <targets> <options>
realm: The Kerberos realm usually looks like COMPANY.corp
dc_ip: IP or hostname of the domain controller
targets: Path to the file which contains the possible username candidates
options:
-o: Output file base name
asreproast
This command is to perform ASREProast attack
Command structure
kerberoast asreproast <dc_ip> <options>
dc_ip: IP or hostname of the domain controller
options:
-r: Specifies the Kerberos realm to be used. It overrides all other realm info.
-o: Output file base name
-t: Path to the file which contains the usernames to perform the attack on
-u: Specifies the user to perform the attack on. The format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm
spnroast
This command is to perform SPNroast (AKA kerberoast) attack.
Command structure
kerberoast spnroast <kerberos_connection_url> <options>
kerberos_connection_url: Specifies the usercredential and the target server in the Kerberos URL format (see help)
options:
-r: Specifies the Kerberos realm to be used. It overrides all other realm info.
-o: Output file base name
-t: Path to the file which contains the usernames to perform the attack on
-u: Specifies the user to perform the attack on. The format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm
Copyright (c) 2018 skelsec
Source: https://github.com/skelsec/
