> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/kerberoasting.md).

# Kerberoasting

You have an SPN service/user the attack works because by default any domain user can request a Ticket to these user's/services the Kerberos grant's a ticket, this ticket is later stored in memory and you can grab this ticket, save it offline and crack the hash file to gain clear-text credentials.

Tim Medin presented at DerbyCon 2014 a tool called Kerberoast which cracks Kerberoast TGS tickets, He determined that possession of a TGS service ticket encrypted with the RC4 provides the opportunity to take the ticket to a password cracking computer (or cloud system) and attempt to crack the service account's password. How does this work? Since the TGS Kerberos ticket is encrypted with the RC4 encryption, that means the service account's password hash is used to encrypt the ticket. The cracking system loops through converts to NTLM, and attempts to open the TGS ticket. If the TGS ticket is opened, we know the clear text password and the NTLM password for the account.

In Summary

Kerberoasting abuses traits of the Kerberos protocol to harvest password hashes for Active Directory user accounts with serviceprincipalName (SPN) values (i.e. service accounts). A user is allowed to request a ticket-granting service (TGS) ticket for any SPN, and parts of the TGS may be encrypted with the RC4 using the password hash of the service account assigned the requested SPN as the key.

An adversary who can extract the TGS ticket from memory, or capture them by sniffing network traffic, can extract the service account's password hash and attempt an offline brute force attack to obtain the plaintext password.

**Attack**

The setup for this attack can be viewed [here](https://medium.com/@markmotig/kerberoasting-from-setup-to-cracking-3e8c980f26e8)

Now will use a few methods to search for any Kerberoastable Users. This can be done with any domain user this attack is abused since any domain user can request a ticket for an SPN account we verify our domain account

![](/files/4DNHgv7DItueqcT6bp42)

I will use Rubeus to locate Kerberoastable user's an OPSEC tactic to consider is using the /stats parameter this will only search for Kerberoastable Users on the current domain without requesting a Ticket to the DC.

`Rubeus kerberoast /stats`

<figure><img src="/files/ZuodRSGqtE6rMktm27mj" alt=""><figcaption></figcaption></figure>

We can Enumerate the specific users of the Domain that are available for Kerberoast, the following command will enumerate users with a Service Principal Name.

`SharpView.exe Get-DomainUser -SPN`

<figure><img src="/files/QX2yHZpn9vAMkPittkRU" alt=""><figcaption></figcaption></figure>

Now we can request the ticket from the users and choose the format-specific for our cracking tool which this preference would be hashcat

`Rubeus kerberoast /domain:DominionCyber.local /user:jnovoa /nowrap`

<figure><img src="/files/STjYGhzvltjzthvJhEkI" alt=""><figcaption></figcaption></figure>

Now with this available, we can crack the password offline utilizing hashcat, once sent to our cracking rig we can use wordlists to attack this hash and try cracking it with this one we managed to get the password by utilizing the RockYou wordlist with a ruleset.

`hashcat.exe -m 13100 -a 0 hashes wordlist`

![](/files/ygtLc40h8Vd0QKgDqsId)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/kerberoasting.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.