Need help with kerberoast?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

skelsec
174 Stars 37 Forks MIT License 42 Commits 0 Opened issues

Description

Kerberoast attack -pure python-

Services available

!
?

Need anything else?

Contributors list

# 63,526
Python
C++
Shell
wmi
39 commits
# 499,007
JavaScr...
Shell
Python
1 commit

kerberoast

Kerberos attack toolkit -pure python- kerbe_card

Install

pip3 install kerberoast

Prereqirements

Python 3.6 See requirements.txt

For the impatient

IMPORTANT: the accepted target url formats for LDAP and Kerberos are the following

 : 
+://\:@/?=

: 
+://\:@/?=

Steps -with SSPI-:

kerberoast auto 

Steps -SSPI not used-:
1. Look for vulnerable users via LDAP

kerberoast ldap  all  -o ldapenum
2. Use ASREP roast against users in the
ldapenum_asrep_users.txt
file
kerberoast asreproast  -t ldapenum_asrep_users.txt
3. Use SPN roast against users in the
ldapenum_spn_users.txt
file
kerberoast spnroast  -t ldapenum_spn_users.txt
4. Crack SPN roast and ASPREP roast output with hashcat

Commands

ldap

This command group is for enumerating potentially vulnerable users via LDAP.

Command structure

    

kerberoast ldap   

Type
: It supports three types of users to be enumerated
1.
spn
Enumerates users with
servicePrincipalName
attribute set.
2.
asrep
Enumerates users with
DONT_REQ_PREAUTH
flag set in their UAC attribute. 3.
all
Startes all the above mentioned enumerations.

ldap_connection_url
: Specifies the usercredential and the target server in the msldap url format (see help)
    ```-o```: Output file base name  

brute

This command is to perform username enumeration by brute-forcing the kerberos service with possible username candidates

Command structure

    kerberoast brute <realm> <dc_ip> <targets> <options>

realm: The kerberos realm usually looks like COMPANY.corp
dc_ip: IP or hostname of the domain controller
targets: Path to the file which contains the possible username candidates
options:
    -o: Output file base name

asreproast

This command is to perform ASREProast attack

Command structure

    kerberoast asreproast <dc_ip> <options>

dc_ip: IP or hostname of the domain controller
options:
    -r: Specifies the kerberos realm to be used. It overrides all other realm info.
    -o: Output file base name
    -t: Path to the file which contains the usernames to perform the attack on
    -u: Specifies the user to perform the attack on. Format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm

spnroast

This command is to perform SPNroast (AKA kerberoast) attack.

Command structure

    kerberoast spnroast <kerberos_connection_url> <options>

kerberos_connection_url: Specifies the usercredential and the target server in the kerberos URL format (see help)

options:
    -r: Specifies the kerberos realm to be used. It overrides all other realm info.
    -o: Output file base name
    -t: Path to the file which contains the usernames to perform the attack on
    -u: Specifies the user to perform the attack on. Format is either <username> or <username>@<realm> but in the first case, the -r option must be used to specify the realm

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.