Skip to content
All Skills

Exploiting Kerberoasting With Impacket

Perform Kerberoasting attacks using Impacket's GetUserSPNs to extract and crack Kerberos TGS tickets for Active Directory service accounts.

Security & Compliance|v1|Updated 7/2/2026|GitHub source
MCP get_skill({ skillId: "exploiting-kerberoasting-with-impacket-ef857459" })

Use this skill with your agent

Create a free account and connect via MCP

Get Started Free
# Exploiting Kerberoasting with Impacket

## Overview

Kerberoasting (MITRE ATT&CK T1558.003) is a credential access technique that targets Active Directory service accounts by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs). The TGS ticket is encrypted with the service account's NTLM hash (RC4 or AES), enabling offline brute-force cracking. Impacket's `GetUserSPNs.py` is the standard tool for Linux-based Kerberoasting attacks.


## When to Use

- When performing authorized security testing that involves exploiting kerberoasting with impacket
- When analyzing malware samples or attack artifacts in a controlled environment
- When conducting red team exercises or penetration testing engagements
- When building detection capabilities based on offensive technique understanding

## Prerequisites

- Valid domain credentials (any domain user can request TGS tickets)
- Network access to a Domain Controller (TCP/88 Kerberos, TCP/389 LDAP)
- Impacket installed (`pip install impacket`)
- Hashcat or John the Ripper for offline cracking
- Wordlist (e.g., rockyou.txt, SecLists)


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## MITRE ATT&CK Mapping

| Technique ID | Name | Tactic |
|---|---|---|
| T1558.003 | Steal or Forge Kerberos Tickets: Kerberoasting | Credential Access |
| T1087.002 | Account Discovery: Domain Account | Discovery |
| T1110.002 | Brute Force: Password Cracking | Credential Access |

## Step 1: Enumerate Kerberoastable Accounts

```bash
# List all user accounts with SPNs (without requesting tickets)
GetUserSPNs.py corp.local/jsmith:Password123 -dc-ip 10.10.10.1

# Output example:
# ServicePrincipalName          Name        MemberOf                          PasswordLastSet
# ----------------------------  ----------  --------------------------------  -------------------
# MSSQLSvc/SQL01.corp.local     svc_sql     CN=Domain Admins,CN=Users,...     2023-01-15 10:30:22
# HTTP/web01.corp.local         svc_web     CN=Web Admins,CN=Users,...        2024-03-20 14:15:00
# HOST/backup01.corp.local      svc_backup  CN=Backup Operators,CN=Users,...  2022-06-01 08:45:10
```

## Step 2: Request TGS Tickets

```bash

Continue reading

Sign up for a free account to view the full skill content

Login / Register
#mukul-cybersecurity-skills#security#cybersecurity#active#directorypythonpipimpackethashcatjohn-the-ripper
Exploiting Kerberoasting With Impacket - AgentArmory Skill — AgentArmory