mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 22:24:56 +03:00
mukul975
5.3 KiB
5.3 KiB
Workflows: Kerberoasting with Impacket
Kerberoasting Attack Workflow
┌─────────────────────────────────────────────────────────────────┐
│ KERBEROASTING ATTACK WORKFLOW │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. ENUMERATE SPN ACCOUNTS │
│ ├── GetUserSPNs.py (list mode, no -request) │
│ ├── Identify high-value targets (DA members, AdminCount) │
│ ├── Check password age (older = weaker) │
│ └── Prioritize targets │
│ │
│ 2. REQUEST TGS TICKETS │
│ ├── GetUserSPNs.py -request -outputfile hashes.txt │
│ ├── Target specific high-value accounts first │
│ ├── Request RC4 tickets if possible (faster cracking) │
│ └── OPSEC: Space out requests to avoid detection │
│ │
│ 3. OFFLINE CRACKING │
│ ├── hashcat -m 13100 (RC4) or -m 19700 (AES256) │
│ ├── Use quality wordlists (rockyou, SecLists) │
│ ├── Apply rules (best64, dive, OneRuleToRuleThemAll) │
│ └── Use GPU acceleration for faster results │
│ │
│ 4. VALIDATE CREDENTIALS │
│ ├── CrackMapExec SMB validation │
│ ├── Check access levels (local admin, domain admin) │
│ ├── Enumerate additional access paths │
│ └── Document findings │
│ │
│ 5. LEVERAGE ACCESS │
│ ├── If Domain Admin: DCSync / Golden Ticket │
│ ├── If Local Admin: Dump LSASS, pivot laterally │
│ ├── If standard user: Use for further enumeration │
│ └── Update BloodHound with newly owned accounts │
│ │
└─────────────────────────────────────────────────────────────────┘
Target Prioritization Matrix
Priority Decision Tree
│
├── Is account in Domain Admins group?
│ └── YES → CRITICAL priority → Crack immediately
│
├── Is AdminCount = 1?
│ └── YES → HIGH priority → Currently or previously privileged
│
├── Password last set > 2 years ago?
│ └── YES → HIGH priority → Likely weak/legacy password
│
├── Is account AdminTo any computers?
│ └── YES → MEDIUM priority → Lateral movement opportunity
│
├── Account description contains password hint?
│ └── YES → HIGH priority → Common OPSEC failure
│
└── Standard service account
└── LOW priority → Crack opportunistically
Hashcat Command Reference
# Basic Kerberoasting crack (RC4)
hashcat -m 13100 hashes.txt wordlist.txt
# With rules
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule
# Multiple wordlists with rules
hashcat -m 13100 hashes.txt wordlist1.txt wordlist2.txt \
-r rules/OneRuleToRuleThemAll.rule
# AES-256 cracking
hashcat -m 19700 hashes.txt wordlist.txt -r rules/best64.rule
# Brute force (8 chars)
hashcat -m 13100 hashes.txt -a 3 ?a?a?a?a?a?a?a?a
# Show cracked passwords
hashcat -m 13100 hashes.txt --show
Detection and Response Workflow
SOC DETECTION WORKFLOW
│
├── SIEM Alert: Multiple 4769 events with RC4 encryption
│ ├── Check source account - is it a service account?
│ │ └── NO → Potential Kerberoasting
│ ├── Check volume - more than 5 TGS requests in 5 minutes?
│ │ └── YES → High confidence Kerberoasting
│ └── Check encryption type - 0x17 (RC4)?
│ └── YES → Confirm Kerberoasting attempt
│
├── RESPONSE ACTIONS
│ ├── Identify source IP and user account
│ ├── Isolate source system if compromised
│ ├── Reset passwords on all targeted service accounts
│ ├── Check for lateral movement from source
│ └── Review service account permissions
│
└── POST-INCIDENT
├── Implement gMSA for targeted accounts
├── Disable RC4 encryption via GPO
├── Deploy Kerberoasting detection rule
└── Conduct AD security assessment