Skip to content

Luct0r/KerberOPSEC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
KerberOPSEC
KerberOPSEC
 
 
KerberOPSEC.sln
KerberOPSEC.sln
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

KerberOPSEC

I came across an article (Kerberoasting With OPSEC) talking about some of the ways Kerberoasting gets detected and how to potentially avoid making such common mistakes.

Chief among them were LDAP queries that search the entire domain for accounts with an SPN, requesting too many tickets at once, and/or not taking care to look at key user attributes indicating a honeypot account.

So I thought it would be cool to write this in C# to help myself learn some coding and who knows, maybe it will come in handy one day.

Usage

C:\>KerberOPSEC.exe -h

-GetDN                                  : Retreives current domain Distinguished Name
-ListOUs <DomainDistinguishedName>      : Lists all OUs in the domain
-CheckOU <OUDistinguishedName>          : Checks an OU for sub-OUs, Groups, and Users
-CheckGroup <GroupDistinguishedName>    : Checks a Group for Users
-CheckSPN <UserDistinguishedName>       : Checks an account for an SPN and shows OPSEC info
-GetSPN <UserDistinguishedName> <SPN>   : Retreives hash for specified SPN

C:\>KerberOPSEC.exe -GetDN

Distinguished Name:

---> DC=contoso,DC=local

C:\>KerberOPSEC.exe -ListOUs "DC=contoso,DC=local"

OUs:

---> OU=Domain Controllers,DC=contoso,DC=local
---> OU=SERVERS,DC=contoso,DC=local
---> OU=WORKSTATIONS,DC=contoso,DC=local
---> OU=USERS,DC=contoso,DC=local
---> OU=IT,OU=USERS,DC=contoso,DC=local

C:\>KerberOPSEC.exe -CheckOU "OU=IT,OU=USERS,DC=contoso,DC=local"

OUs:


Groups:

---> CN=Admins,OU=IT,OU=USERS,DC=contoso,DC=local
---> CN=HelpDesk,OU=IT,OU=USERS,DC=contoso,DC=local

Users:

---> CN=SQLUser,OU=IT,OU=USERS,DC=contoso,DC=local

C:\>KerberOPSEC.exe -CheckGroup "CN=Admins,OU=IT,OU=USERS,DC=contoso,DC=local"

Users:

---> CN=Mark,OU=CORP USERS,DC=contoso,DC=local

C:\>KerberOPSEC.exe -CheckSPN "CN=Mark,OU=USERS,DC=contoso,DC=local"

---> No SPN found for mark@contoso.local

C:\>KerberOPSEC.exe -CheckGroup "CN=HelpDesk,OU=IT,OU=USERS,DC=contoso,DC=local"

Users:

---> CN=Ryan,OU=USERS,DC=contoso,DC=local

C:\>KerberOPSEC.exe -CheckSPN "CN=Ryan,OU=USERS,DC=contoso,DC=local"

---> No SPN found for ryan@contoso.local

C:\>KerberOPSEC.exe -CheckSPN "CN=SQLUser,OU=IT,OU=USERS,DC=contoso,DC=local"

User Attributes:

---> sAMAccountName                : sqluser
---> Description                   : MSSQL
---> servicePrincipalName          : MSSQLSvc/FileSRV:1433
---> whenCreated                   : 1/8/2021 4:52:54 AM
---> whenChanged                   : 1/10/2022 8:29:36 PM
---> userAccountControl            : 66048
---> msds-SupportedEncryptionTypes : 8
---> pwdLastSet                    : 10/14/2021 9:30:37 PM
---> lastLogon                     : 1/15/2022 12:29:36 PM

C:\>KerberOPSEC.exe -GetSPN "CN=SQLUser,OU=IT,OU=USERS,DC=contoso,DC=local" "MSSQLSvc/SQLSRV:1433"

$krb5tgs$23$*sqluser$contoso.local$MSSQLSvc/SQLSRV:1433*$9d0795ce5c11fdfd74c31681068e5062$375d95c5fc64900cf57357a7bb05c476f185310e7f74a390f4b1baa40fa0696ea4b19bc43685d1c3cd3f9ef6ff3e56941ed8dcc0a3b08beaf1045e6758b87b35125d2260fab495914c150f862994339b9b4f4afadead7380d942e3a858126dacb7d5098de6496f8c65c2af2e2b2347d4c41b7d95deb3eea43d80c28124849a395821bfd6240a3df6e00bb4ee1cb63c9c6d7696ae1647adc93b5c5f4a4ea0fa12438c41a8d425c50572dbc76993167f171fced8fd9f0acff087e2cc73a02766e8357e729e969e920e030edfa4427431e0f9fd4610ad466b92d558cf571b97144ceac31cdd47a34e04c8111bc093aec4473511f4add918faeb9325b04ece4cd4f646798471ce613e010fa91d9d1afef0f1cd35d13730d204a78f95b9174adfbcf3c897386ba244cda08ff794ae9afea5c0e9df8667f899e803a159f39e9b170b1ee946aca1954a156aabfb336f64c15f25b5178aebf3e8ad2b3ae7c93bab8fc5e73bb939785416891a427999275c54907f4ce3d4e5f0ba3e8a3d58a9b7f258e25694299f82d665e267eb1bf93ca264bfcd83f7ae0df2346ab294fa56bda607ed06e45af81fd72634a325d87b6853f3cc3b88cc3f292bfc34b2d88a1e91a404d9278c1276ea9ea9efb20b52cef6a5c1fe7ca405b7659aabbb842ba780ec0666b96253aaec19e2bba5209b586f87f8f477890dfbd76ed5d29bc4294301f13b326b98acdc33720bbde633e36c82893b7fbe8501bd155a321f421b94f6260f8a593e9e2845e731ae2cedc2d62e4025b7ee4dc4011cacd5cf6d2ef009b49745ebb9a77b0fef9656f2cfbdf4b3fe62eabcc9cd51d681bfb1fd2495ac9b953b13e295841783811d1d836286bd77632783d4594ad82eb0ba71f62768c6f29c5916ec723d57b6f783e94df45238e44ce18494351bb4fdd4e2a87a2fc054a584931d2a4ceab6c81113d0d1e60c5ed793f1e88dce85fabe778ee88935f16ae5e0836437b2e5ec8e77b4be3f6955d91713455a4f1c6bea70e04b5746f21b40ae40b1fe3ee125ae712a6921b31f2fd22a47db6a9a3c06d21a3f553aeddfda5112a7e06069e15f57d577d84860c1dbd342d6a57d8e04c70b8da20a98d801436504e9fdcc462dd632a9d43337bac339ebda53c99768ecd6cb6af67d781fd9c108f31b0d255e43d67c2addf1521974ee896400e76be01c968df0b508b31cc4e234d135787d3f2f6f5b2f6a93093c0e4fd41a764af277c42ff63a4367c9e93f9aa711d516a63d87005afd8c36e10e0b5318415a6625163825a701094a71132b69068e21b89042a5ca6dc7f0767f3f5cb8a26959873a90b0832b822d6ecedfa676337d8f945f749cff07981cd63e75990812ecf667ce0ffedd4cc5f96240df552fa0c8f735755b47a351e4c18c79fa8131176ebad3ab2bf22aeda4b285837c7cc7edb05dc3189549753c08a0287cea42d7bd6e7d20710a29aecaf78abb8f63389a5070609691

References

Microsoft 365 Security: Kerberoast With OPSEC
Stack Overflow: Difference between PrincipalSearcher and DirectorySearcher
Stack Overflow: Active Directory - PropertiesToLoad get all properties
GhostPack: SharpRoast GhostPack: Rubeus

About

OPSEC safe Kerberoasting in C#

Resources

Readme

License

GPL-3.0 license
Activity

Stars

187 stars

Watchers

3 watching

Forks

21 forks
Report repository

Releases 3

KerberOPSEC v1.2 Latest
May 11, 2022
+ 2 releases

Packages

No packages published

Languages