Kerberoasting

🧠 What’s the Deal?

Give us the lowdown — what is this attack and why should anyone care?

When client requests service tickets to DC in order to access resource hosted by SPN, No ckecks are performed on DC to provide service ticket are encrypted using SPN's password hash. We get the ticket & bruteforce the password hash hence it is called Kerberosting.

🎯 What’s the Big Win?

What’s the attacker trying to pull off here?

Gain unauthorized access
Extract sensitive data
Escalate privileges
Lateral movement across the network

🧰 Gear Up (Prereqs)

Don’t go in empty-handed. What do you need beforehand?

Access to an account
the information of the SPN that you want to attack
If you have permissions Generic all, generic write on another AD user account then setup the SPN for them.
Tools (inpacket-getnpuser(Kali), rubeus.exe(windows))

🚀 Launch Sequence (How-To)

Here’s how the magic happens — step by step.

# When performing attack from kali linux:
1. sudo impacket-getuserSPN -request --dc-ip $IP domain.com/user
2. crack the hash using hashcat

# When performing the attack using windows:
rubeus.exe kerberost /outfile:hasehs.kerberost
Craft payload: ' OR '1'='1
Send request and observe results

🧠 What’s the Deal?​

🎯 What’s the Big Win?​

🧰 Gear Up (Prereqs)​

🚀 Launch Sequence (How-To)​

🧠 What’s the Deal?

🎯 What’s the Big Win?

🧰 Gear Up (Prereqs)

🚀 Launch Sequence (How-To)