creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 23:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/exploiting-kerberoasting-with-impacket/references/workflows.md
T

116 lines
5.3 KiB
Markdown
Raw Blame History

# Workflows: Kerberoasting with Impacket
## Kerberoasting Attack Workflow
```
┌─────────────────────────────────────────────────────────────────┐
│ KERBEROASTING ATTACK WORKFLOW │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. ENUMERATE SPN ACCOUNTS │
│ ├── GetUserSPNs.py (list mode, no -request) │
│ ├── Identify high-value targets (DA members, AdminCount) │
│ ├── Check password age (older = weaker) │
│ └── Prioritize targets │
│ │
│ 2. REQUEST TGS TICKETS │
│ ├── GetUserSPNs.py -request -outputfile hashes.txt │
│ ├── Target specific high-value accounts first │
│ ├── Request RC4 tickets if possible (faster cracking) │
│ └── OPSEC: Space out requests to avoid detection │
│ │
│ 3. OFFLINE CRACKING │
│ ├── hashcat -m 13100 (RC4) or -m 19700 (AES256) │
│ ├── Use quality wordlists (rockyou, SecLists) │
│ ├── Apply rules (best64, dive, OneRuleToRuleThemAll) │
│ └── Use GPU acceleration for faster results │
│ │
│ 4. VALIDATE CREDENTIALS │
│ ├── CrackMapExec SMB validation │
│ ├── Check access levels (local admin, domain admin) │
│ ├── Enumerate additional access paths │
│ └── Document findings │
│ │
│ 5. LEVERAGE ACCESS │
│ ├── If Domain Admin: DCSync / Golden Ticket │
│ ├── If Local Admin: Dump LSASS, pivot laterally │
│ ├── If standard user: Use for further enumeration │
│ └── Update BloodHound with newly owned accounts │
│ │
└─────────────────────────────────────────────────────────────────┘
```
## Target Prioritization Matrix
```
Priority Decision Tree
├── Is account in Domain Admins group?
│ └── YES → CRITICAL priority → Crack immediately
├── Is AdminCount = 1?
│ └── YES → HIGH priority → Currently or previously privileged
├── Password last set > 2 years ago?
│ └── YES → HIGH priority → Likely weak/legacy password
├── Is account AdminTo any computers?
│ └── YES → MEDIUM priority → Lateral movement opportunity
├── Account description contains password hint?
│ └── YES → HIGH priority → Common OPSEC failure
└── Standard service account
└── LOW priority → Crack opportunistically
```
## Hashcat Command Reference
```bash
# Basic Kerberoasting crack (RC4)
hashcat -m 13100 hashes.txt wordlist.txt
# With rules
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule
# Multiple wordlists with rules
hashcat -m 13100 hashes.txt wordlist1.txt wordlist2.txt \
-r rules/OneRuleToRuleThemAll.rule
# AES-256 cracking
hashcat -m 19700 hashes.txt wordlist.txt -r rules/best64.rule
# Brute force (8 chars)
hashcat -m 13100 hashes.txt -a 3 ?a?a?a?a?a?a?a?a
# Show cracked passwords
hashcat -m 13100 hashes.txt --show
```
## Detection and Response Workflow
```
SOC DETECTION WORKFLOW
├── SIEM Alert: Multiple 4769 events with RC4 encryption
│ ├── Check source account - is it a service account?
│ │ └── NO → Potential Kerberoasting
│ ├── Check volume - more than 5 TGS requests in 5 minutes?
│ │ └── YES → High confidence Kerberoasting
│ └── Check encryption type - 0x17 (RC4)?
│ └── YES → Confirm Kerberoasting attempt
├── RESPONSE ACTIONS
│ ├── Identify source IP and user account
│ ├── Isolate source system if compromised
│ ├── Reset passwords on all targeted service accounts
│ ├── Check for lateral movement from source
│ └── Review service account permissions
└── POST-INCIDENT
├── Implement gMSA for targeted accounts
├── Disable RC4 encryption via GPO
├── Deploy Kerberoasting detection rule
└── Conduct AD security assessment
```
Reference in New Issue View Git Blame Copy Permalink