Kerberos

Quick Reference Attack Tool Hashcat Mode Requirement AS-REP Roasting GetNPUsers.py / kerbrute -m 18200 DONT_REQ_PREAUTH flag set Kerberoasting GetUserSPNs.py -m 13100 (RC4) / -m 19700 (AES) Valid domain user + SPN exists Pass-the-Ticket getTGT.py + impacket N/A Valid credentials or hash Overpass-the-Hash getTGT.py -aesKey N/A AES256 key for user Kerbrute userenum kerbrute N/A Network access to DC on port 88 Ticket conversion ticket_converter.py N/A Existing .kirbi or .ccache AS-REP Roasting AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag set in userAccountControl). The KDC returns an AS-REP containing a portion encrypted with the user’s hash — no prior authentication required, making it requestable by anyone. ...

Quick Reference Attack Tool Prerequisite Output Kerberoasting Rubeus, PowerView Domain user, SPN exists RC4/AES hash → offline crack AS-REP Roasting Rubeus Domain user, pre-auth disabled on target AS-REP hash → offline crack Pass-the-Ticket Rubeus, Mimikatz Valid .kirbi or base64 ticket Ticket injected into session Overpass-the-Hash Mimikatz, Rubeus NTLM or AES hash TGT obtained, ticket injected Pass-the-Key Mimikatz AES256 hash TGT obtained via AES pre-auth Ticket Extraction Rubeus, Mimikatz Local admin (for other users’ tickets) .kirbi files / base64 tickets TGT Delegation Rubeus tgtdeleg Domain user, no local admin needed Usable TGT Ticket Harvesting Rubeus harvest/monitor Local admin Ongoing TGT collection Unconstrained Delegation Abuse Rubeus monitor + coerce Local admin on delegation host Victim TGT captured Hashcat Cracking Modes Reference Mode Hash Type Attack Context 13100 Kerberoast — RC4 (TGS-REP) Kerberoasting with /rc4opsec 19600 Kerberoast — AES128 (TGS-REP) Kerberoasting with /aes 19700 Kerberoast — AES256 (TGS-REP) Kerberoasting with /aes 18200 AS-REP — RC4 (krb5asrep) AS-REP Roasting 17200 DPAPI masterkey Seatbelt / Mimikatz DPAPI 1000 NTLM Pass-the-Hash, secretsdump output 5600 NTLMv2 (Net-NTLMv2) Responder / NTLM relay capture 7500 Kerberos 5 AS-REQ (etype 23) Pre-auth brute force 3000 LM Legacy — rarely seen Kerberoasting Kerberoasting requests Kerberos service tickets (TGS-REP) for accounts with a Service Principal Name (SPN) set. The ticket is encrypted with the service account’s password hash, enabling offline cracking. ...

Quick Reference Attack Tool Required Privileges Unconstrained Delegation Abuse impacket, Responder, coercion tools Compromise of delegated host Constrained Delegation (KCD) getST.py Control of account with KCD configured RBCD Setup + Abuse addcomputer.py, rbcd.py, getST.py GenericWrite or WriteDACL on target computer Shadow Credentials pywhisker.py, getnthash.py WriteProperty on msDS-KeyCredentialLink Coerce Authentication (PetitPotam) PetitPotam.py Valid domain credentials Coerce Authentication (PrinterBug) printerbug.py Valid domain credentials Delegation Overview Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths. ...

Delegation Attacks — From Windows Kerberos delegation allows services to impersonate users when accessing downstream resources on their behalf. Misconfigured delegation is one of the most reliable paths to domain compromise from a low-privilege Windows foothold. This guide covers all four major delegation attack classes — Unconstrained, Constrained (KCD), Resource-Based Constrained Delegation (RBCD), and Shadow Credentials — with full PowerShell and command-line tradecraft. Quick Reference Table Attack Primary Tool Required Privilege Unconstrained Delegation Rubeus monitor + coercion Local Admin on delegating host Constrained Delegation Rubeus s4u Service account creds or hash RBCD PowerMad + PowerView + Rubeus GenericWrite or WriteDACL on target computer object Shadow Credentials Whisker + Rubeus WriteProperty on msDS-KeyCredentialLink 1. Delegation Concepts 1.1 Why Delegation Exists Kerberos delegation was introduced to solve the “double-hop” problem: when a front-end web service needs to authenticate to a back-end SQL server using the identity of the connecting user, it needs the ability to forward or impersonate that user’s credentials downstream. Three delegation mechanisms exist in Active Directory, each with different security boundaries and abuse surfaces. ...