Service Account Attacks (Example Path)
Make sure you have the stable shell. This is to ensure we can run the mimikatz on the machine.
Transfer nc.file and execute the following & have the nc listening on kali.
2. Go through the enumeration methods and see if there's any service accounts.
A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
Query the Domain Controller in search of SPNs.
SPN Examples
CIFS/MYCOMPUTER$
- file share access.LDAP/MYCOMPUTER$
- querying AD info via. LDAP.HTTP/MYCOMPUTER$
- Web services such as IIS.MSSQLSvc/MYCOMPUTER$
- MSSQL.
Perform
nslookup
of the service hostname -> see if there is an entrypoint here.Automated SPN enum scripts:
Take notes of this account name you found!
3. Transfer mimikatz.exe to the host and run it. (sometimes, mimikatz version may matter - try 2.2.0 if one doesn't work)
3.Use the SPN to dump the kerberos tickets
If we know the
serviceprincipalname
value from prior AD enum, we can target the SPN by by requesting a service ticket for it from the Domain Controller and access resources from the service with our own ticket.
It's important to take notes of the "SAMAccountName" which we will use as a username at the next stage when we try to login to the account via evil-winrm.
Crack SPN hashes
After crack the hashes, you can run
Last updated