Skill

performing-kerberoasting-attack

Guides Kerberoasting attacks on Active Directory: enumerates SPNs, requests TGS tickets, cracks offline with hashcat, validates credentials. For authorized red-teaming.

Python

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Performing Kerberoasting Attack

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Overview

Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs) set. These tickets are encrypted with the service account's NTLM hash, allowing offline brute-force cracking without generating failed login events. It is one of the most common privilege escalation paths in AD environments because any domain user can request TGS tickets.

When to Use

When conducting security assessments that involve performing kerberoasting attack
When following incident response procedures for related security events
When performing scheduled security testing or auditing activities
When validating security controls through hands-on testing

Prerequisites

Familiarity with red teaming concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities

MITRE ATT&CK Mapping

T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1087.002 - Account Discovery: Domain Account
T1069.002 - Permission Groups Discovery: Domain Groups

Workflow

Phase 1: SPN Enumeration

Enumerate accounts with SPNs using LDAP queries
Filter for user accounts (not computer accounts)
Identify accounts with elevated privileges (adminCount=1)
Prioritize accounts with weak password policies

Phase 2: TGS Ticket Request

Request TGS tickets for identified SPN accounts
Extract ticket data in crackable format (hashcat/john compatible)
Ensure RC4 encryption is requested when possible (easier to crack)
Document all requested tickets

Phase 3: Offline Cracking

Use hashcat mode 13100 (Kerberos 5 TGS-REP etype 23) for RC4 tickets
Use hashcat mode 19700 (Kerberos 5 TGS-REP etype 17) for AES-128
Use hashcat mode 19800 (Kerberos 5 TGS-REP etype 18) for AES-256
Apply targeted wordlists and rules based on password policy

Phase 4: Credential Validation

Validate cracked credentials against domain
Assess access level of compromised accounts
Map accounts to BloodHound attack paths
Document for engagement report

Tools and Resources

Tool	Purpose	Platform
Rubeus	Kerberoasting and ticket manipulation	Windows (.NET)
Impacket GetUserSPNs.py	Remote Kerberoasting	Linux/Python
PowerView	SPN enumeration	Windows (PowerShell)
hashcat	Offline password cracking	Cross-platform
John the Ripper	Offline password cracking	Cross-platform

Detection Indicators

Event ID 4769: Kerberos Service Ticket Request with RC4 encryption (0x17)
Anomalous TGS requests from a single account in short timeframe
TGS requests for services the user normally does not access
Honeypot SPN accounts with alerting on ticket requests

Validation Criteria

SPN accounts enumerated and documented
TGS tickets extracted in crackable format
Offline cracking attempted with appropriate wordlists
Cracked credentials validated
Access level of compromised accounts assessed