kerberoasting

3. Kerberoasting harvesting TGS for services running on behalf of user accounts TGS tickets to be cracked to retrieve user password requires domain account allowed to request TGS; typically any domain account since no special privileges required LDAP query to retrieve user accounts with associated services: (&(samAccountType=805306368)(servicePrincipalName=*)) first parameter: request user accounts ONLY (no computer accounts) second parameter: filter by accounts with at least 1 service Tools: impacket’s GetUserSPNs.py (Linux), Rubeus (Windows) Linux GetUserSPNs....