GET a TGS on behalf of another user without password
Scenario: you are Local Administrator and there is a logged User you want to Impersonate! Goal: From Local Admin to Domain Admin with Kerberos TGS Required: Local Administrator and a Domain Admin Logged (or Disconnected). In this guide the Domain Admin User is CALIPENDULA\fagiolo
-
ask to GIUDA for a shell as SYSTEM
-
GIUDA -runaslsass or
-
GIUDA -runaspid:PID (a NT AUTHORITY\SYSTEM's PID, enumerate by yourself)
-
ask to GIUDA to show ALL Logged User's LUID
-
GIUDA -askluids
-
take the LUID that you want to impersonate and ask GIUDA to get the msdsspn that you want
-
use PSSession to log on the Domain Controller
Thank you to ewan22, he does a very powerful set of Pascal Units for AD