Kerberoasting (Invoke-RubeusKerberoast)

Description

Performs Kerberoasting to extract TGS ticket hashes for offline cracking.

Overview

Performs Kerberoasting by requesting TGS tickets for accounts with registered SPNs. The encrypted ticket data can be cracked offline to recover service account passwords. Supports filtering by SPN, user, OU, and various other criteria.

Arguments

Parameter Type Description
SPN string A specific SPN to Kerberoast.
User string A specific user to Kerberoast.
Domain string The target domain. Defaults to the current domain.
DC string The domain controller to target.
OU string The OU to search within.
CredUser string Alternate credentials username for LDAP queries.
CredPassword string Alternate credentials password for LDAP queries.
Stats switch Display statistics only, do not extract tickets.
AES switch Request AES encrypted tickets.

Additional Parameters

  • Ticket: Existing TGT to use for requests.
  • LdapFilter: Custom LDAP filter.
  • PwdSetAfter: Filter accounts with password set after this date.
  • PwdSetBefore: Filter accounts with password set before this date.
  • ResultLimit: Maximum number of results.
  • Delay: Delay in milliseconds between requests.
  • Jitter: Jitter percentage for delay randomization.
  • Simple: Use simplified output format.
  • RC4Opsec: Use RC4 opsec-safe method.
  • UseTGTDeleg: Use TGT delegation trick.
  • Enterprise: Use enterprise principal names.
  • Ldaps: Use LDAPS.

Dependencies

  • AD

Operating Systems

  • Windows
Scroll to Top