Kerberoasting

Several tools can be utilized to perform the attack:

• Impacket’s GetUserSPNs.py from a non-domain joined Linux host.

• A combination of the built-in setspn.exe Windows binary, PowerShell, and Mimikatz.

• From Windows, utilizing tools such as PowerView, Rubeus, and other PowerShell scripts.

A prerequisite to performing Kerberoasting attacks is either domain user credentials (cleartext or just an NTLM hash if using Impacket), a shell in the context of a domain user, or account such as SYSTEM. Once we have this level of access, we can start. We must also know which host in the domain is a Domain Controller so we can query it.