🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Introduction
  • Performing the attack
  • Impacket
  • Rubeus
  • Crack
  1. Windows
  2. Authentication Attacks

Kerberoasting

PreviousAS-REP RoastingNextPassword Spray

Last updated 7 months ago

Introduction

Kerberoasting is an attack technique that allows attackers to target service accounts in Active Directory. These service accounts typically have SPNs (Service Principal Names) associated with them.

The attacker is able to request the Service Ticket from the Ticket Granting Server which is encrypted using the SPN's password hash.

The attack is made in few steps:

  1. The attacker sends request to the Ticket Granting Server.

  2. The attacker gets the Service Ticket in the request

  3. Attacker brute-forces the Service Ticket offline to obtain the user's password.

Performing the attack

Impacket

impacket-GetUserSPNs -request -dc-ip <dc_ip> <domain>/<username>

Rubeus

.\Rubeus.exe kerberoast /outfile:<outputfile>

Crack

hashcat -m 13100 <hashes_file> <wordlist>

TGS-REQ
TGS-REP