mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 13:39:40 +03:00
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
3.3 KiB
3.3 KiB
name, description, domain, subdomain, tags, version, author, license
| name | description | domain | subdomain | tags | version | author | license | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| performing-kerberoasting-attack | Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names | cybersecurity | red-teaming |
|
1.0 | mahipal | Apache-2.0 |
Performing Kerberoasting Attack
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
Overview
Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs) set. These tickets are encrypted with the service account's NTLM hash, allowing offline brute-force cracking without generating failed login events. It is one of the most common privilege escalation paths in AD environments because any domain user can request TGS tickets.
MITRE ATT&CK Mapping
- T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
- T1087.002 - Account Discovery: Domain Account
- T1069.002 - Permission Groups Discovery: Domain Groups
Workflow
Phase 1: SPN Enumeration
- Enumerate accounts with SPNs using LDAP queries
- Filter for user accounts (not computer accounts)
- Identify accounts with elevated privileges (adminCount=1)
- Prioritize accounts with weak password policies
Phase 2: TGS Ticket Request
- Request TGS tickets for identified SPN accounts
- Extract ticket data in crackable format (hashcat/john compatible)
- Ensure RC4 encryption is requested when possible (easier to crack)
- Document all requested tickets
Phase 3: Offline Cracking
- Use hashcat mode 13100 (Kerberos 5 TGS-REP etype 23) for RC4 tickets
- Use hashcat mode 19700 (Kerberos 5 TGS-REP etype 17) for AES-128
- Use hashcat mode 19800 (Kerberos 5 TGS-REP etype 18) for AES-256
- Apply targeted wordlists and rules based on password policy
Phase 4: Credential Validation
- Validate cracked credentials against domain
- Assess access level of compromised accounts
- Map accounts to BloodHound attack paths
- Document for engagement report
Tools and Resources
| Tool | Purpose | Platform |
|---|---|---|
| Rubeus | Kerberoasting and ticket manipulation | Windows (.NET) |
| Impacket GetUserSPNs.py | Remote Kerberoasting | Linux/Python |
| PowerView | SPN enumeration | Windows (PowerShell) |
| hashcat | Offline password cracking | Cross-platform |
| John the Ripper | Offline password cracking | Cross-platform |
Detection Indicators
- Event ID 4769: Kerberos Service Ticket Request with RC4 encryption (0x17)
- Anomalous TGS requests from a single account in short timeframe
- TGS requests for services the user normally does not access
- Honeypot SPN accounts with alerting on ticket requests
Validation Criteria
- SPN accounts enumerated and documented
- TGS tickets extracted in crackable format
- Offline cracking attempted with appropriate wordlists
- Cracked credentials validated
- Access level of compromised accounts assessed