Overview
Kerberoasting requests TGS tickets for service accounts (accounts with SPNs), then cracks them offline. Any domain user can request TGS tickets — no special privileges needed.Find Service Accounts (SPNs)
PowerShell (No Tools)
PowerView
Request TGS Tickets
PowerShell (No Tools)
Rubeus
Impacket (Remote from Linux)
Extract from Memory
Mimikatz
.kirbi files. Convert to hashcat format:
Crack TGS Hashes
Hashcat
John
Post-Exploitation
Cracked service account password → check privileges:Quick Reference
| Tool | Where | Notes |
|---|---|---|
setspn | Target (Windows) | Built-in, no download |
| Rubeus | Target (Windows) | Most features, .NET |
| GetUserSPNs | Attacker (Linux) | Remote, needs creds |
| Mimikatz | Target (Windows) | Export from memory |