A BOF tool to list all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat.
- Make sure that Mingw-w64 (including mingw-w64-binutils) has been installed.
- Enter the SOURCE folder within the tool folder.
- Type "make" to compile the object files.
- Use Cobal Strike script manager to import the
Kerberoast.cnascript. - To use the TicketToHashcat.py script make sure that the python dependencies are installed using:
pip install -r requirements.txt
Running the tool is straightforward. Once you imported the CNA script using Cobalt Strike's Script Manager, they are available as Cobalt Strike commands that can be executed within a beacon. This tools supports the following commands:
- Kerberoast [list, list-no-aes, roast or roast-no-aes] [account <optional sAMAccountName filter (default all)>]
- The tool outputs the captured tickets between TICKET tags. To convert the ticket(s) to a Hashcat compatible hash type, make sure you copy the ticket(s) (including the <TICKET> </TICKET> tags) to a file and use the
TicketToHashcat.pyfile to convert the output. The TicketToHashcat.py script saves the tickets to aroastme-<#hash-type>.txtfile. - To crack the hashes within the file(s) use:
hashcat -m 13100for RC4 hashes,hashcat -m 19600for aes128 hashes orhashcat -m 19700for aes256 hashes.
- List SPN enabled accounts:
Kerberoast list - List SPN enabled accounts without AES encryption:
Kerberoast list-no-aes - Roast all SPN enabled accounts:
Kerberoast roast - Roast all SPN enabled accounts without AES encryption:
Kerberoast roast-no-aes - Roast specific accounts:
Kerberoast roast svc-test
Listing and roasting tickets without specifying a sAMAccountName filter is opsec unsafe. The servicePrincipalName=* search filter might trigger a LDAP Reconnaissance Activity alert (for example when using M365 Defender).
This BOF tool has been successfully compiled on Mac OSX systems and used on Windows 8.1+ (x64) systems. Compiling the BOF code should also work on other systems (Linux, Windows) that have the Mingw-w64 compiler installed.
This code is inspired by @cube0x0's BofRoast: https://github.com/cube0x0/BofRoast