NTDS - ntds.dit which contain credentials for all user
NTDS
SYSVOL - Group policy preference which contain credential on group.xml file
Group Policy
USER, GROUP, OU AND CU
USER AND COMPUTER
GROUP - SALES
OU - US
CU- DEFAULT IN MOST CASE
1- KDC
2- TGT & TGS
3- SPN
GETUSERSPN HTB.LOCAL/USERNAME:PASSWORD -REQUEST -----------THIS WILL GIVE THE NTLM HASH FOR THE SERVICE ACCOUNT WE CAN CRACK IT ONLINE
step 1-: Perform kerberosting attack gain the password
step 2-: Get ntlm hash for the service which we wanna compromise
step 3-: Perform silver ticket attack.
dump ntds.dit file using secretdump.py to get all hashes
use krbtgt ntlm hash to impersonate whatever user you want.